adobe-ccf-v5.yaml

urn: urn:intuitem:risk:library:adobe-ccf-v5
locale: en
ref_id: adobe-ccf-v5
name: Adobe CCF v5
description: 'Adobe Common Controls Framework (CCF) version 5

  https://www.adobe.com/trust/compliance/adobe-ccf.html

  '
copyright: Creative Commons
version: 2
provider: Adobe
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:adobe-ccf-v5
    ref_id: adobe-ccf-v5
    name: Adobe CCF v5
    description: 'Adobe Common Controls Framework (CCF) version 5

      https://www.adobe.com/trust/compliance/adobe-ccf.html

      '
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      assessable: false
      depth: 1
      name: Asset Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-01
      name: Inventory Management
      description: Organization maintains an inventory of information systems, which
        is reconciled on a periodic basis.
      annotation: '1. Design and document a process for maintaining an inventory of
        information systems for management of assets within an organization.

        2. Perform inventory reconciliation on a periodic basis.

        3. Create and maintain periodic reconciliation documentation.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-02 - Asset Inventory

        E-AM-03 - Asset Reconciliation Records'
      question:
        question_type: unique_choice
        question_choices: &id001
        - 'Yes'
        - 'No'
        - N/A
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:1
          text: 1. Inspect the policy and standard to determine whether requirements
            for maintaining and reconciling a system of inventory for information
            systems are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:2
          text: 2. Observe the inventory of system devices to determine whether the
            organization maintains the inventory in a system of record.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:3
          text: 3. Inspect periodic reconciliation documentation to determine whether
            reconciliation was performed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-02
      name: 'Inventory Management: Applications'
      description: Organization maintains an inventory of application assets, which
        is reconciled on a periodic basis.
      annotation: '1. Design and document a process for maintaining an inventory of
        application assets for management of assets within an organization.

        2. Perform inventory reconciliation on a periodic basis.

        3. Create and maintain periodic reconciliation documentation.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-02 - Asset Inventory

        E-AM-03 - Asset Reconciliation Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:1
          text: 1. Inspect the policy and standard to determine whether requirements
            for maintaining and reconciling a system of inventory for application
            assets are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:2
          text: 2. Observe the inventory of system devices to determine whether the
            organization maintains the inventory in a system of record.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:3
          text: 3. Inspect periodic reconciliation documentation to determine whether
            reconciliation was performed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-03
      name: 'Inventory Reconciliation: ARP Table'
      description: Organization reconciles network discovery scans against the established
        device inventory on a quarterly basis; non-inventoried devices are assigned
        an owner.
      annotation: '1. Design and document a process for conducting network discovery
        scans on a periodic basis.

        2. Ensure the results of the scans are reconciled with the system asset inventory
        at least quarterly.

        3. Ensure necessary actions are taken to include non-inventoried assets in
        the inventory with appropriate ownership details.'
      typical_evidence: 'E-AM-04 - Network Discovery Scan Records

        E-AM-03 - Asset Reconciliation Records

        E-AM-02 - Asset Inventory'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:1
          text: '1. Inspect network discovery scans result to ensure periodic scans
            were conducted. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:2
          text: 2. Observe the reconciliation report of network discovery scans against
            the established device inventory to determine that the inventories are
            reconciled on a quarterly basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:3
          text: 3. Inspect the device inventory to ensure non-inventoried devices
            have been added and have a designed owner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-04
      name: 'Inventory Reconciliation: Logging'
      description: Organization reconciles the enterprise log repository against the
        established device inventory on a quarterly basis; non-inventoried devices
        are assigned an owner.
      annotation: '1. Ensure logs from enterprise logging solutions are reconciled
        with the system device asset inventory on a quarterly basis.

        2. Ensure necessary actions are taken to include non-inventoried assets in
        the inventory with appropriate ownership details'
      typical_evidence: 'E-AM-03 - Asset Reconciliation Records

        E-AM-02 - Asset Inventory'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:1
          text: 1. Inspect the reconciliation report of enterprise log repository
            against the established device inventory to determine that the inventories
            are reconciled on a quarterly basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:2
          text: 2. Inspect the non-inventoried devices to determine that the assets
            have a designed owner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-05
      name: Inventory Labels
      description: Organization assets are labeled and have designated owners.
      annotation: '1. Ensure all assets in the system device asset inventory are assigned
        appropriate labels as per the organization''s labelling procedures.

        2. Ensure each asset has an assigned owner and accuracy is maintained.'
      typical_evidence: 'E-AM-02 - Asset Inventory

        E-AM-01 - Asset Management Policy'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:1
          text: 1. Inspect documentation to determine whether requirements for asset
            labelling ownership assessment are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:2
          text: 2. Inspect the asset listings to determine whether the assets are
            labelled and have a designated owner.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:3
          text: 3. For a sample of services, inspect the asset reports to determine
            asset are labelled and have a designated owner.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:4
          text: 4. Observe and compare physical assets at an organization's data center
            to determine whether the assets were labelled according to in-scope asset
            listings.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-06
      name: Media Marking
      description: Where applicable, Organization marks information system media indicating
        the distribution limitations, handling caveats, and applicable security markings
        (if any) of the information. Exemptions must be approved by management and
        remain in a specific controlled area.
      annotation: '1. Ensure that a process is established and documented for media
        marking and handling, including distribution limitation.

        2. Ensure that sensitive information containing media is marked as per the
        organization''s media marking requirements as applicable.

        3. Ensure that any exceptions are approved by management, documented and retained
        by authorized personnel.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-05 - Evidence of Media Snapshots'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:1
          text: 1. Inspect information system media marking to indicate the distribution
            limitations, handling caveats, and applicable security markings (if any)
            of the information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:2
          text: 2. Inspect exemption cases to validate that it must be approved by
            management and remain in a specific area.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-07
      name: Asset Transportation Authorization
      description: Organization authorizes and records the entry and exit of systems
        at datacenter locations.
      annotation: '1. Ensure a process is established and documented to control the
        transport of assets in and out of data center locations.

        2. Ensure appropriate records and approvals are obtained and maintained against
        entry and exit of each asset.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-06 - Asset Movement Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:1
          text: 1. Inspect the policy and/or standard to determine whether requirements
            have been established to authorize and record the entry and exit of systems
            at datacenter locations.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:2
          text: 2. Inspect evidence of asset movement from a sample of data centers
            and colocations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-08
      name: Asset Transportation Documentation
      description: Organization documents the transportation of physical media outside
        of datacenters. Physical media is packaged securely and transported in a secure,
        traceable manner.
      annotation: '1. Ensure appropriate records and approvals are obtained and documented
        against entry and exit of each asset.

        2. Ensure all assets being transported are secured as per the organization''s
        policy and can be tracked when offsite.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-06 - Asset Movement Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:1
          text: 1. Inspect the policy and/or standard to determine whether the transportation
            of physical media outside of datacenters are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:2
          text: 2. Inspect the logs of physical media evidence that have been transported
            to determine that physical media is packed securely and transported in
            a secure, traceable manner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-09
      name: Use of Portable Media
      description: The use of portable media in Organization datacenters is prohibited
        unless explicitly authorized by management.
      annotation: '1. Ensure policy and procedures are established and communicated
        prohibiting the use of portable media.

        2. Ensure necessary controls are in place to detect the usage of portable
        media inside the organization''s network.

        3. Ensure any exceptions are documented based on business justification and
        need and are approved appropriately.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-07 - Portable Media Configuration Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:1
          text: 1. Inspect the policy and/or standard to determine that the use of
            portable media in the datacenters is prohibited unless explicitly authorized
            by management.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:2
          text: 2. Inspect Configurations to detect the use of portable media.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-10
      name: Maintenance of Assets
      description: Equipment maintenance is documented and approved according to management
        requirements.
      annotation: '1. Ensure a process is established and documented for maintenance
        of assets.

        2. Ensure all maintenance is approved by the management and is carried out
        through approved vendors.

        3. Ensure proper testing of equipment is conducted post maintenance before
        use.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-08 - Asset Maintenance Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:1
          text: 1. Inspect the policy and/or standard to determine whether management
            requirements have been established for the documentation and approval
            of equipment maintenance.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:2
          text: 2. Inspect equipment maintenance requests to determine whether equipment
            maintenance is documented and approved according to management requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-11
      name: Tampering of Payment Card Capture Devices
      description: Devices that physically capture payment card data are inspected
        for evidence of tampering on a semi-annual basis.
      annotation: '1. Ensure all payment card devices are inspected on semiannual
        basis to check for tampering.

        2. Ensure that appropriate documentation is maintained regarding maintenance
        activities of these devices'
      typical_evidence: E-AM-09 - Payment Card Device Verification Records
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:1
          text: 1. Inspect devices verification records for tampering check.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:2
          text: 2. Inspect and validate whether these verification were done at least
            semi-annually.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-12
      name: 'Component Installation: Inspection and Approval'
      description: Prior to installation in a production network, hardware components
        are inspected for improper or unauthorized modifications.
      annotation: '1. Ensure a process is established and documented for approval
        of hardware prior to installation on production.

        2. Ensure each asset is inspected with agreed on procedures before being enabled
        on production.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-10 - Hardware Installation Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:1
          text: 1. Validate if a process exists for the approval and verification
            of hardware prior to production installation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:2
          text: 2. Inspect hardware components installation records in a production
            network to determine that modifications were validated before installation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2
      ref_id: AM-13
      name: Software bill of Material
      description: Organization maintains a comprehensive software bill of materials
      annotation: '1. Ensure a Software bill of material is established.

        2. Ensure that a process has been established and documented for the  addition,
        removal,  and update of components from SBOM.'
      typical_evidence: 'E-AM-01 - Asset Management Policy

        E-AM-11 - Software Bill of Materials'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:1
          text: 1. Inspect and validate that a Software bill of material is established.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:2
          text: 2. Validate that a process has been established and documented for
            addition, removal,  and update of components from SBOM.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      assessable: false
      depth: 1
      name: Business Continuity
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-01
      name: Business Continuity Plan
      description: Organization's business contingency plan is periodically reviewed,
        approved by management and communicated to relevant team members.
      annotation: '1. Design and document a process for Business Continuity and Disaster
        Recovery.

        2. Define steps for recovery with all roles and responsibilities in the Business
        Continuity Plan.

        3. Ensure that the Business Continuity Plan is approved by the process owners,
        and is communicated to all the relevant team members.'
      typical_evidence: 'E-BC-01 - Business Continuity Policy

        E-BC-02 - Business Continuity Plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:1
          text: 1. Inspect and validate whether the Business Continuity and Disaster
            Recovery Processes are designed and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:2
          text: "2. Inspect Organization's Business Continuity Plan (\u201CBCP\u201D\
            ) to determine whether Organization has established recovery steps and\
            \ phases, recovery capabilities, and identified personnel responsible\
            \ to execute recovery procedures."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:3
          text: "3. Inspect the most recent version of Organization\u2019s BCP to\
            \ determine whether it is periodically reviewed and approved."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:4
          text: "4. Inspect the corporate intranet to determine whether Organization\u2019\
            s BCP is communicated to relevant team members."
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-02
      name: 'Business Continuity Plan: Personal Health Information'
      description: Organization's Business Contingency Plan addresses how to access
        facilities and obtain data during an emergency.
      annotation: 1. Ensure that steps to be followed in case of an emergency are
        clearly mentioned in the Business Continuity Plan so that access to the facilities
        and data is facilitated during an emergency.
      typical_evidence: E-BC-02 - Business Continuity Plan
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02:question:1
          text: 1. Inspect an organization's Business Contingency Plan to determine
            whether Organization has addresses how to access facilities and obtain
            data during an emergency.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-03
      name: 'Business Continuity Plan: Roles and Responsibilities'
      description: Business contingency roles and responsibilities are assigned to
        individuals and their contact information is communicated to authorized personnel.
      annotation: '1. Check that roles and responsibilities are clearly defined in
        the Business Continuity Plan. There should be proper demarcation of responsibilities
        during each phase of the crisis.

        2. Ensure that the contact information for all the stakeholders is defined
        within Business Continuity Plan and should be up to date, documented, and
        communicated to all authorized personnel.

        3. Ensure that people with roles and responsibilities within Business Continuity
        Plans are well aware of their responsibilities.'
      typical_evidence: E-BC-02 - Business Continuity Plan
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:1
          text: 1. Inspect documentation consisting of business contingency roles
            and responsibilities. .
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:2
          text: 2. Inspect whether the contact information of personnel with business
            continuity responsibilities are documented within the Business Continuity
            Plan.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:3
          text: 3. Inspect evidence to check whether roles and responsibilities are
            communicated to all applicable stakeholders and audience
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-04
      name: Continuity Testing
      description: "Organization performs business contingency and disaster recovery\
        \ tests on a periodic basis and ensures the following: \n\u2022 tests are\
        \ executed with relevant contingency teams\n\u2022 test results are documented\n\
        \u2022 corrective actions are taken for exceptions noted\n\u2022 plans are\
        \ updated based on results"
      annotation: '1. Ensure that Business Continuity testing should be performed
        on a periodic basis as per the organization policy.

        2. The business continuity testing should emulate the Business Continuity
        Plan and should check the coverage and efficiency of the plan. All the relevant
        team preparedness should be assessed in this testing.

        3. Ensure that the test results are documented, and any exceptions are noted
        and appropriate corrective action is undertaken.'
      typical_evidence: E-BC-03 - Business Continuity/Disaster Recovery Test Results
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:1
          text: 1. Inspect whether Business Continuity Testing was performed on a
            periodic basis as per the organization's policy.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:2
          text: 2. Inspect the most recent BCP test and inspect DR tests results to
            determine whether tests were executed and results were documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:3
          text: 3. Validate whether the results of the testing exercises were tracked
            to remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-05
      name: Business Impact Analysis
      description: Organization identifies the business impact of relevant threats
        to assets, infrastructure, and resources that support critical business functions.
        Recovery objectives are established for critical business functions.
      annotation: "1. Design and document a process for conducting Business Impact\
        \ Analysis to determine the criticality of business activities and associated\
        \ resource requirements.\n2. Ensure that BIA is conducted for all processes\
        \ and assets to identify criticality.\n3. Ensure that recovery objectives\
        \ are established for critical processes.\n "
      typical_evidence: 'E-BC-01 - Business Continuity Policy

        E-BC-02 - Business Continuity Plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:1
          text: 1. Inspect and validate whether a documented process exists for conducting
            Business Impact Analysis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:2
          text: 2. Inspect Business Impact Analysis to determine whether the threats
            to assets, infrastructure, and resources are identified and the recovery
            objectives are established.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16
      ref_id: BC-06
      name: Capacity Forecasting
      description: Budgets for infrastructure capacity are established based on analysis
        of historical business activity and growth projections; purchases are made
        against the established budget and plans are updated on a quarterly basis.
      annotation: "1. Ensure that  capacity forecasts are created based on the business\
        \ forecasts, growth projections and analysis of historic business activity.\n\
        \ \n2. Ensure that budget allocation is done for infrastructure and resources\
        \ basis Capacity forecasts."
      typical_evidence: E-BC-05 - Capacity Planning Meeting Minutes
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:1
          text: 1. Inspect and validate whether capacity planning was done and forecasts
            were created.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:2
          text: 2. Validate whether budgets were established and capacity forecasts
            were taken into the account for the same.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      assessable: false
      depth: 1
      name: Backup Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      ref_id: BM-01
      name: Backup Configuration
      description: Organization configures redundant systems or performs periodic
        backups of data to resume system operations in the event of a system failure.
      annotation: '1. Ensure that Backup and Restoration process is established, documented
        and communicated to all the relevant stakeholders.

        2. Ensure that all the information systems have redundancy or should be backed
        up periodically. Periodicity of the backup should be defined basis the criticality
        of the information system and data.

        3. Check the backup configuration for all the storage/database resources whether
        on-prem or on cloud.

        4. Ensure that alert are in place for backup failures and all backup failures
        are handled appropriately.'
      typical_evidence: 'E-BM-01 - Backup Management Policy

        E-BM-07 - Backup Configuration Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:1
          text: 1. Inspect documentation to determine whether requirements for the
            configuration of redundant systems or performance of periodic backups
            of data to resume system operations are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:2
          text: 2.Inspect redundancy or system backup configurations for production
            systems to determine type, frequency, and storage of backups.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:3
          text: 3. Inspect sample alerts for failed backups and validate the remediation
            steps.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      ref_id: BM-02
      name: Resilience Testing
      description: Organization performs annual backup restoration or data replication
        tests to confirm the reliability and integrity of system backups or recovery
        operations.
      annotation: "1. Ensure that the requirement for backup restoration testing is\
        \ defined and documented appropriately. \n2. Ensure that backup restoration\
        \ testing is performed on an annual basis and ensure that the integrity of\
        \ backup restores are maintained. "
      typical_evidence: 'E-BM-01 - Backup Management Policy

        E-BM-02 - Backup Restoration Test Results'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:1
          text: 1. Inspect relevant documentation to determine whether requirements
            for annual backup restoration or failover and failback tests have been
            defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:2
          text: 2. Inspect annual backup restoration, or failover and failback tests
            to determine whether Organization has tested the reliability and integrity
            of system backups.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      ref_id: BM-03
      name: Backup Failure Review
      description: Failed backup jobs are periodically reviewed and resolved in a
        timely manner.
      annotation: "1. Ensure that alert are sent to the system administrators in case\
        \ of backup failures.\n 2. All backup failures should be handled appropriately\
        \ and resolved in a timely manner."
      typical_evidence: 'E-BM-03 - Evidence of Failed Backup Review

        E-BM-06 - Sample Alerts for Backup Failure'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:1
          text: 1. Inspect whether failed backup jobs are being reviewed periodically.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:2
          text: 2. Inspect alerts are configured to notify administrators if backup
            fails.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:3
          text: 3. Inspect and validate the remediation process for failed backups.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      ref_id: BM-04
      name: Alternate Storage
      description: Organization backups are securely stored in an alternate location
        from source data.
      annotation: '1. Ensure that the backups are stored in an alternate location
        than the source data.

        2. Ensure that access to the backups is restricted and backups are stored
        securely.'
      typical_evidence: E-BM-04 - Backup Configuration Evidence
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:1
          text: 1. Inspect whether backups are stored in a different location than
            the source data.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:2
          text: 2. Inspect evidence showing that backups are secured and access in
            restricted.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23
      ref_id: BM-05
      name: Alternate Telecommunication
      description: Alternate telecommunication service agreements have been established
        to resume business when the primary service gets disrupted. Service agreements
        contain priority of service provisions.
      annotation: '1. Ensure that alternate telecommunication service agreements are
        defined to resume business when the primary service gets disrupted.

        2. The priority of the service provisions should be defined in the service
        agreements.'
      typical_evidence: E-BM-05 - Alternate Telecommunications Agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:1
          text: 1. Inspect whether alternate telecommunication service agreements
            are defined to resume business when the primary service gets disrupted.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:2
          text: 2. Inspect documentation to determine that the Service agreements
            contain priority of service provisions.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      assessable: false
      depth: 1
      name: Configuration Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-01
      name: Baseline Configuration Standard
      description: Organization ensures security hardening and baseline configuration
        standards have been established according to industry standards and are reviewed
        and updated periodically.
      annotation: "1. Prepare and maintain Security hardening and Baseline configuration\
        \ standards shall be established.\n2. Configuration of systems (systems can\
        \ include AWS, Azure, GCP, and more) shall be configured with the baseline\
        \ configuration.\n3. Configure required permissions for the configuration\
        \ management server. \n4. Configuration of Security Groups, NACLs, and virtual\
        \ firewall appliances shall be in place.\n5. Configuration of VPC Firewall\
        \ Rules and virtual firewall appliances to allow traffic from the configuration\
        \ management server to the other system servers.\n6. All production systems\
        \ shall be able to demonstrate consistent system configurations via version\
        \ control number, last update date, settings, or other.\n7. Process shall\
        \ be established to ensure that latest version patch (hardened as per industry\
        \ practices) is applied wherever possible.\n8. Ensure that security hardening\
        \ and configuration baselines are monitored are flagged wherever deviation\
        \ is observed.\n9. Establish a process ensuring regular rule set reviews are\
        \ conducted by relevant teams for network devices."
      typical_evidence: "Log Management - \nE-CFM-01 - Firewall standard\nE-CFM-02\
        \ - Configuration Management Standard\nE-CFM-03 - Periodic Rule review documentation\n\
        E-CFM-04 - System generated Latest patch versioning documentation\nE-CFM-05\
        \ - Configuration deviation samples"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:1
          text: 1. Validate whether Security hardening and Baseline configuration
            standards are established.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:2
          text: 2. Inspect baseline configuration of systems (systems can include
            AWS, Azure, GCP, and more) shall be configured with the baseline configuration.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:3
          text: '3. Validate whether the required permissions are present for the
            configuration management server. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:4
          text: 4. Inspect Security Groups, NACLs, and virtual firewall appliances
            configurations.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:5
          text: 5. Validate whether VPC Firewall Rules and virtual firewall appliances
            are configured to allow traffic from the configuration management server
            to the other system servers.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:6
          text: '6. Inspect production systems to determine whether they demonstrate
            consistent system configurations via version control #, last update date,
            settings, or other.'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:7
          text: 7. For a sample of in scope servers validate whether latest version
            patch (hardened as per industry practices) is applied wherever possible.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:8
          text: 8. Validate that security hardening and configuration baselines are
            monitored are flagged wherever deviation is observed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:9
          text: 9. Validate that regular rule set reviews are conducted by relevant
            teams for network devices.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-02
      name: Default "Deny-all" Settings
      description: Where applicable, the information system default access configurations
        are set to "deny-all."
      annotation: '1. Prepare a list of in-scope network devices and production accounts
        and ensure that default deny-all rules are configured

        2. Ensure that deny-all rule precedes all other applied rules in terms of
        priority.'
      typical_evidence: "E-AM-02  - \nE-CFM-03 - Periodic Rule review documentation"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:1
          text: 1. For a list of in-scope network devices and production accounts,
            validate that default deny-all rules are configured
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:2
          text: 2. Validate that deny-all rule precedes all other applied rules in
            terms of priority.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-03
      name: 'Remote Access: Prohibited Protocols and Commands'
      description: Organization defines a listing of prohibited user commands and
        prohibited protocols that can be used in a remote session.
      annotation: 1. Prepare and maintain the listing of prohibited user commands
        and prohibited protocols that can be used in a remote session.
      typical_evidence: 'E-CFM-06 - Security hardening standard '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03:question:1
          text: 1. Inspect security hardening standard to determine the listing of
            prohibited user commands and prohibited protocols that can be used in
            a remote session.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-04
      name: Data Execution Prevention
      description: Organization ensures data execution prevention (DEP) security features
        are enabled on production hosts to restrict code execution within memory.
      annotation: '1. Ensure that configuration setting includes data execution prevention
        (DEP) security features enabled on production hosts to restrict code execution
        within memory. '
      typical_evidence: 'E-CFM-02 - Configuration Management Standard

        E-CFM-03 - Periodic Rule review documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04:question:1
          text: '1. Check configuration setting to ensure data execution prevention
            (DEP) security features are enabled on production hosts to restrict code
            execution within memory. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-05
      name: Client Run Time Technologies
      description: Organization disables prohibited client run time technologies on
        information systems.
      annotation: 1. Establish a process to ensure no prohibited application/software
        is installed on the machine.
      typical_evidence: E-CFM-07 - Authorized application/software listing
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05:question:1
          text: 1. Inspect Organization's software compliance dashboard, to ensure
            no prohibited application/software is installed on the machine.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-06
      name: Prohibited Activity Monitoring
      description: Organization information systems are configured to explicitly deny
        a predefined list of activities.
      annotation: '1. Prepare a list of activities that shall be denied on Information
        Systems, e.g., removable media restriction.

        2. Ensure that the denied activities are enforced on the Information systems.

        3. Ensure that the logs are being maintained for monitoring.

        4. The list shall be reviewed periodically.'
      typical_evidence: 'E-CFM-08 - List of denied activities on information systems

        E-CFM-09 - Review history documentation

        E-CFM-10 - Information systems activity logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:1
          text: 1. Validate whether a list is being maintained that has the activities
            that shall be denied on Information Systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:2
          text: 2. Inspect the activity logs to validate whether the denied activities
            are enforced and monitored on the Information systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:3
          text: 3. Validate whether the periodic review history documentation is present.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-07
      name: Configuration Checks
      description: Organization uses mechanisms to detect deviations from baseline
        configurations on production environments.
      annotation: '1. Ensure that security hardening and configuration baselines are
        being monitored for in-scope servers.

        2. Deviations shall be generated for in-scope servers for which remediations
        shall be tracked to closure.

        3. Design a process for security hardening and configuration baselines checks
        being accurate and updated at least annually.'
      typical_evidence: 'E-CFM-11 - Security hardening and configuration baselines
        checks review documentation

        E-CFM-05 - Configuration deviation samples'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:1
          text: 1. Validate that security hardening and configuration baselines are
            being monitored for in-scope servers.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:2
          text: 2. Validate that deviations are being generated for in-scope servers
            and remediations are tracked to closure.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:3
          text: 3. Validate that the security hardening and configuration baselines
            checks are accurate and updated at least annually.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-08
      name: 'Configuration Check Reconciliation: Logging'
      description: Organization reconciles the established device inventory against
        the enterprise log repository on a quarterly basis; devices which do not forward
        security configurations are remediated.
      annotation: '1. Prepare an asset register to ensure asset life cycle is maintained
        as per the defined policy and/or standard of asset management.

        2. Establish a process through which the device configuration logs can be
        fetched and reconciled with asset register quarterly.

        3. Ensure that a process is established that tracks the deviations to remediation.'
      typical_evidence: "E-AM-02 - Asset Inventory\nE-CFM-12 with E-AM-02 - \nE-CFM-05\
        \ - Configuration deviation samples"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:1
          text: 1. Inspects Organization asset register to ensure asset life cycle
            is maintained as per the defined policy and/or standard of asset management.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:2
          text: 2. Validate whether the device configuration logs are being reconciled
            with asset register quarterly.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:3
          text: 3. Validate for a sample of deviations whether the remediation is
            done in a timely manner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-09
      name: Time Clock Synchronization
      description: Systems are configured to synchronize information system time clocks
        based on International Atomic Time or Coordinated Universal Time (UTC).
      annotation: '1. Ensure that the inventory includes all the ICT devices such
        as firewalls, routers and servers.

        2. Ensure that a process has been established to use only hardened images
        for the servers.

        3. Ensure that the NTP configuration (primary & secondary NTP servers) for
        these devices is configured.

        4. Ensure that the time sync is enabled and stratums are defined.'
      typical_evidence: 'E-CFM-02 - Configuration Management Standard

        E-CFM-14 - Sample server configuration

        E-CFM-13 - NTP Server configuration

        E-CFM-15 - NTP server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:1
          text: 1. Obtain a list of  in-scope ICT devices such as firewalls, routers
            and servers.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:2
          text: 2. For servers, validate that security hardened images are used.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:3
          text: 3. Obtain the NTP configuration for a sample of devices and check
            whether primary and secondary NTP servers are configured.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:4
          text: 4. Validate whether time sync is enabled and stratums are defined
            and the time servers are working.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-10
      name: Time Clock Configuration Access
      description: Access to modify time data is restricted to authorized personnel.
      annotation: '1. Ensure that the ability to modify time data is restricted to
        authorized personnel.

        2. Ensure that access reviews of authorized users and all remediations are
        appropriately tracked'
      typical_evidence: 'E-CFM-16 - Logical Access Management Standard

        E-CFM-17 - Access Review Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:1
          text: '1. Obtain a list of all users who have the ability to modify time
            data. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:2
          text: 2. Validate whether access reviews of these users were performed and
            all remediations are appropriately tracked
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-11
      name: Default Device Passwords
      description: Vendor-supplied default passwords are changed according to Organization
        standards prior to device installation on the Organization network or immediately
        after software or operating system installation.
      annotation: '1. Ensure that the security hardening and configuration baseline
        checks include enforcing disablement of default accounts.

        2. Ensure that the security hardening and configuration baseline deviations
        are being tracked to resolution'
      typical_evidence: 'E-CFM-02 - Configuration Management Standard

        E-CFM-05 - Configuration deviation samples'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:1
          text: 1. Inspect security hardening and configuration baseline checks to
            determine whether they are configured to enforce disabling of default
            accounts.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:2
          text: 2. Validate that the security hardening and configuration baseline
            deviations are being tracked to resolution.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-12
      name: Process Isolation
      description: Organization implements only one primary function per server within
        the production environment; the information system maintains a separate execution
        domain for each executing process.
      annotation: '1. Ensure that the security hardening and configuration baseline
        checks include installing one primary function per server within the production
        environment and the information system maintains a separate execution domain
        for each executing process.

        2. Ensure that the security hardening and configuration baseline deviations
        are being tracked to resolution.'
      typical_evidence: 'E-CFM-02 - Configuration Management Standard

        E-CFM-18 - Sample of server logs

        E-CFM-05 - Configuration deviation samples'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:1
          text: 1. Inspect security hardening and configuration baseline checks include
            installing one primary function per server within the production environment
            and the information system maintains a separate execution domain for each
            executing process.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:2
          text: 2. Validate that the security hardening and configuration baseline
            deviations are being tracked to resolution.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-13
      name: Collaborative Devices
      description: Where applicable, collaborative computing devices used at Organization
        are configured to restrict remote activation and provide an explicit indication
        that they are in use.
      annotation: '1. In case of collaborative computing devices, ensure that an explicit
        indication is documented confirming its use and requirement.

        2. Ensure that the security hardening and configuration baseline checks are
        configured to restrict remote activation on collaborative computing devices.

        3. Ensure that the security hardening and configuration baseline deviations
        are being tracked to resolution'
      typical_evidence: 'E-CFM-02 - Configuration Management Standard

        E-CFM-19 - Sample of collaborative computing device logs

        E-CFM-05 - Configuration deviation samples'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:1
          text: 1. Validate whether the use of collaborative computing devices is
            being flagged and justification of its use is documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:2
          text: 2. Inspect security hardening and configuration baseline checks to
            determine whether collaborative computing devices are configured to restrict
            remote activation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:3
          text: 3. Validate that the security hardening and configuration baseline
            deviations are being tracked to resolution
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-14
      name: Software Installation
      description: Installation of software or programs in the production environment
        is approved by authorized personnel.
      annotation: '1. Ensure Security hardening and Baseline configuration standards
        includes process established to determine whether the installation of software
        or programs in the production environment is approved by authorized personnel.

        2. Prepare an authorized approval matrix for installation of software or programs
        in the production environment.'
      typical_evidence: "E-CFM-02         - \nE-CFM-20 - Authorized approval matrix"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:1
          text: 1. Inspect Security hardening and Baseline configuration standards
            to ensure that the installation of software or programs in the production
            environment is approved by authorized personnel is defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:2
          text: 2. Inspect the authorized approval matrix for installation of software
            or programs in the production environment.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29
      ref_id: CFM-15
      name: Job Schedules
      description: "Schedule changes or the modifications of production jobs require:\n\
        \u2022 documented approval from authorized personnel\n\u2022 documented monitoring\
        \ details"
      annotation: "1. Prepare, document, and periodically review Organization's change\
        \ management standard.\n2. Ensure that the change management process includes\
        \ tracking to determine whether schedule changes or the modifications of production\
        \ jobs require:\n\u2022 documented approval from authorized personnel\n\u2022\
        \ documented monitoring details"
      typical_evidence: 'E-CFM-21 - Change Management Standard

        E-CFM-22 - Sample of change requests

        E-CFM-23 - Sample of documented approval on production job changes

        E-CFM-24 - Sample of documented change monitoring details'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:1
          text: 1. Obtain Organization's change management standard and validate whether
            it is periodically reviewed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:2
          text: '2. For a sample of change tickets, inspect change management process
            flow documentation (e.g., ticketing/tracking tools) to determine whether
            schedule changes or the modifications of production jobs require:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:3
          text: "\u2022 documented approval from authorized personnel"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:4
          text: "\u2022 documented monitoring details"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45
      assessable: false
      depth: 1
      name: Change Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45
      ref_id: CHM-01
      name: Change Management Workflow
      description: Change scope, change type, and roles and responsibilities are pre-established
        and documented in a change control workflow; notification and approval requirements
        are also pre-established based on risk associated with change scope and type.
      annotation: "1. Ensure that the change management process is established and\
        \ well-documented, and should be approved by the management and communicated\
        \ to all the relevant stakeholders.\n2. Ensure that roles and responsibilities\
        \ are defined for each activity and  change scope, that change type is predefined.\
        \ \n3. Ensure that the change workflow has a mandatory approval and notification\
        \ requirements incorporated based on risk and change type."
      typical_evidence: 'E-CHM-01 - Change Management Policy

        E-CHM-03 - Change Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:1
          text: "1. Inspect Organization\u2019s policy to determine whether:"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:2
          text: a. Change scope, change type, and roles and responsibilities are pre-established.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:3
          text: b. Notification and approval requirements are pre-established based
            on the risk associated with change scope and type.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:4
          text: 2. Inspect change management ticketing and tracking tools to determine
            whether the change control workflow is defined in accordance with the
            defined requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45
      ref_id: CHM-02
      name: Change Approval
      description: "Prior to introducing changes into the production environment,\
        \ approval from authorized personnel is required based on the following:\n\
        \u2022 change description\n\u2022 impact of change\n\u2022 test results\n\u2022\
        \ back-out plan"
      annotation: '1. Ensure that all the changes to the production environment are
        tracked in a Change Management tracking tool. All the change details should
        be documented. Some of the mandatory details for each change are:

        a. Change Description

        b. Change Impact

        c. Test Details

        d. Roll-out and Roll-back Plan

        e. Change Approval

        f. Change date and time

        2. All the changes in the production environment should be approved by the
        authorized personnel prior to implementation. Make sure that the approver
        is independent of the change requestor and change implementor. If not, check
        that there a secondary approver to ensure segregation of duty is maintained.

        3. Make sure that the deployment and change logs are retained as per organization''s
        policy.'
      typical_evidence: 'E-CHM-02 - Change Management Tool Configuration

        E-CHM-03 - Change Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:1
          text: '1. Inspect Change Management tracking tool to determine that requirements
            prior to introducing changes into the production environment, approval
            from appropriate personnel is documented including the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:2
          text: a. Change description
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:3
          text: b. Impact of change
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:4
          text: c. Test results
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:5
          text: d. Back-out procedures
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:6
          text: '2. For a sample of changes, inspect corresponding change tickets,
            and verify if it includes the following information:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:7
          text: a. Change Description
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:8
          text: b. Impact of changes
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:9
          text: c. Roll back plan
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:10
          text: d. Evidence of successful testing documentation
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:11
          text: e. Approval of change prior to implementation
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:12
          text: 3. For the sampled changes, validate that the change was approved
            by a person independent of the person who requested or made the change.
            Alternatively, ensure that there is a second level of approval to ensure
            that segregation of duties is being maintained.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:13
          text: 4. Inspect whether the change logs are retained as per the organization's
            policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45
      ref_id: CHM-03
      name: Segregation of Duties
      description: 'Changes to the production environment are implemented by authorized
        personnel. '
      annotation: "1. Ensure that the permission to implement changes to the production\
        \ is limited to few authorized personnels. \n2. Ensure that the change implementor\
        \ is not the change approver."
      typical_evidence: 'E-CHM-02 - Change Management Tool Configuration

        E-CHM-03 - Change Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03:question:1
          text: 1. Inspect Change Management tracking tool and for a sample of changes,
            inspect that change tickets were launched and appropriately approved.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45
      ref_id: CHM-04
      name: Communication of Maintenance and Downtime
      description: Customer-impacting product and system changes are publicly communicated
        on the company website.
      annotation: '1. Ensure that all the changes that impact the customers and customer
        product or services should be communicated to the customers on the company
        website.

        2. In cases of any planned downtime due to a change, it should be communicated
        to the customers in advance on the website.'
      typical_evidence: E-CHM-04 - Company Website Link
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04:question:1
          text: 1. Inspect the company website to determine whether customer-impacting
            product and system changes are publicly communicated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50
      assessable: false
      depth: 1
      name: Customer Managed Security
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50
      ref_id: CMS-01
      name: Customer Administrative Access
      description: For products that enable customers to manage their end users, privileged
        user roles exist with the capability to manage end user access to the relevant
        applications.
      annotation: '1. In cases where customers can manage the access of their end
        users, ensure that ability to configure privileged user roles exist.

        2. Ensure that the customer''s privileged user roles can manage end user access
        to the relevant applications.'
      typical_evidence: 'E-CMS-01 - Customer capabilities in access management console

        E-CMS-05 - Privileged User Roles capabilities'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:1
          text: 1. Validate whether the customers can configure privileged user roles.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:2
          text: 2. Inspect whether the customer defined privileged user roles can
            manage end user access to relevant applications.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50
      ref_id: CMS-02
      name: Customer Authentication
      description: Authentication to organization customer-facing applications are  performed
        through secure log-on procedures.
      annotation: 1. Ensure that authentication to organization customer-facing applications
        are performed through secure log-on procedures.
      typical_evidence: E-CMS-02 - Customer Authentication Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02:question:1
          text: 1. Inspect whether the authentication to organization customer-facing
            applications are performed through secure log-on procedures.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50
      ref_id: CMS-03
      name: Customer Systems Monitoring
      description: As necessary, event logs are made available to customers.
      annotation: '1. Establish a process for the customers to access event logs as
        needed. '
      typical_evidence: E-CMS-03 - Customer Admin Console
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03:question:1
          text: 1. Inspect the customer console to determine how the event logs are
            made available to the customer.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50
      ref_id: CMS-04
      name: Customer Security Engagements
      description: "Organization supports customer-requested security inquiries, questionnaires,\
        \ and audits:\n\u2022 in accordance with customer contracts and agreements\n\
        \u2022 to facilitate due diligence prior to licensing organization products"
      annotation: "1. Establish a documented process to support customer-requested\
        \ security inquiries, questionnaires, and audits:\n\u2022 in accordance with\
        \ customer contracts and agreements\n\u2022 to facilitate due diligence prior\
        \ to licensing organization products"
      typical_evidence: 'E-CMS-02 - Customer Authentication Standard

        E-CMS-04 - Customer contracts and agreements'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:1
          text: '1. Validate whether a process in place to support customer-requested
            security inquiries, questionnaires, and audits:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:2
          text: "\u2022 in accordance with customer contracts and agreements"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:3
          text: "\u2022 to facilitate due diligence prior to licensing organization\
            \ products"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:4
          text: 2. Inspect a sample customer inquiry, questionnaire, or audit.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      assessable: false
      depth: 1
      name: Cryptography
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-01
      name: Encryption Key Maintenance
      description: Cryptographic keys are invalidated when compromised or at the end
        of their defined lifecycle period.
      annotation: '1. Establish a process to ensure that organization approved key
        storage solutions are used.

        2. Ensure that access to the cryptographic key stores is limited to authorized
        personnel.

        3. Establish a process to periodically review the users access list for the
        keys and document the confirmation that these are authorized users.

        4. Establish a process to ensure that the keys are rotated during either of
        the below events:

        a) Suspicion that the key has been compromised

        b) End of key life cycle

        7. In case of termination or transfer of an individual with access to the
        key, establish a process for access review and key rotation.'
      typical_evidence: 'E-CRY-01 - List of approved key storage solutions

        E-CRY-02 - Periodic Access Review documentation

        E-CRY-03 - Sample of Key rotation evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:1
          text: 1. Inspect the process and location of where Encryption keys are stored.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:2
          text: 2. Obtain details of the process to ensure that access to the cryptographic
            key stores is limited to authorized personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:3
          text: 3. Review the users access list for the keys and confirmation that
            these are authorized users.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:4
          text: '4. Obtain confirmation of key rotation at the occurence of either
            of the below events during last quarter:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:5
          text: a) Suspicion that the key has been compromised
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:6
          text: b) End of key life cycle
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:7
          text: 7. For a sample of termination or transfer of an individual with access
            to the key, and review the process of key rotation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-02
      name: Encryption Key Distribution
      description: Organization prohibits the distribution of cryptographic keys in
        clear text.
      annotation: 1. Ensure that the Key management policy hass a prohibition on the
        distribution of cryptographic keys in clear text.
      typical_evidence: E-CRY-04 - Key Management Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02:question:1
          text: 1. Inspect the Key management policy that shows that there is a prohibition
            on the distribution of cryptographic keys in clear text.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-03
      name: Encryption Key Storage
      description: Encryption keys are securely stored in an approved encryption platform.
      annotation: '1. Ensure that key management standard includes management operations
        using one of the listed options below, for encrypting and decrypting cardholder
        data:

        -Key-encrypting key is at least as strong as the data-encrypting key and is
        stored separately from the data-encrypting key

        -Stored within a cryptographic device

        -Keys are stored as at least two full-length key components or key shares'
      typical_evidence: E-CRY-04 - Key Management Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:1
          text: '1. Inspect and review the key management standard, to ensure that
            the management operations are using one of the listed options below, for
            encrypting and decrypting cardholder data:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:2
          text: -Key-encrypting key is at least as strong as the data-encrypting key
            and is stored separately from the data-encrypting key
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:3
          text: -Stored within a cryptographic device
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:4
          text: -Keys are stored as at least two full-length key components or key
            shares
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:5
          text: 2. Inspect the process and validate that one of the above methods
            are being used to protect the keys.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-04
      name: Clear Text Key Management
      description: If applicable, manual clear-text cryptographic key-management operations
        must be managed using split knowledge and dual control.
      annotation: '1. Ensure that the key management standard includes guidance on
        management operations being managed using split knowledge and dual controls.

        2. Establish a key custodian acknowledgement form.

        3. Ensure that when split knowledge is in place, both key components are 2
        full keys, not 1 key split into 2 components.'
      typical_evidence: 'E-CRY-04 - Key Management Standard

        E-CRY-05 - Sample key custodian acknowledgement form'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:1
          text: 1. Inspect and review the key management standard, to ensure that
            the management operations are managed using split knowledge and dual controls.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:2
          text: 2. Observe and confirm a sample key custodian acknowledgement form.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:3
          text: 3. Inspect that if split knowledge is in place both key components
            are 2 full keys, not 1 key split into 2 components.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-05
      name: Encryption of Data in Transit
      description: Organization restricted data that is transmitted over public networks
        is encrypted.
      annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\
        \ Standard and Data Encryption Standard includes requirements for encrypting\
        \ data at rest.\n2. Ensure that the data sent in transit is encrypted by performing\
        \ the following:\na. Latest TLS version and cipher suites usage over browser.\n\
        b. Use valid digital certificates by the endpoint.\nc. Period check by running\
        \ a Qualys provided SSL labs feature that scans and endpoint and enumerates\
        \ all ciphers and TLS versions permitted on an end point\n3. If the service\
        \ does not have public facing endpoints, ensure that the configuration of\
        \ the load balancer and corresponding Security group with details of TLS versions\
        \ allows and cipher suites allowed.\n4. Ensure that the expired SSL certificates\
        \ are identified and remediated."
      typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard

        E-CRY-07 - Data Encryption Standard

        E-CRY-08 - Latest TLS Version evidence

        E-CRY-09 - Digital Certificates Validity

        E-CRY-10 - Qualys SSL Labs Scan Results

        E-CRY-11 - Load Balancer Configuration

        E-CRY-12 - Security Group Configuration

        E-CRY-13 - Remediation & Tracking of expired SSL'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:1
          text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\
            \ and Data Encryption Standard to determine whether requirements for encrypting\
            \ data at rest were defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:2
          text: '2. Obtain the list of all public facing endpoints for the service.
            Inspect each public facing endpoint to determine if data sent in transit
            is encrypted by performing the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:3
          text: a. Inspecting the TLS version and cipher suites being used over browser.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:4
          text: b. Inspecting the validity of the digital certificates being used
            by the endpoint.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:5
          text: c. Running a Qualys provided SSL labs feature that scans and endpoint
            and enumerates all ciphers and TLS versions permitted on an end point
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:6
          text: 3. If the service does not have public facing endpoints, obtain configuration
            of the load balancer and corresponding Security group with details of
            TLS versions allows and cipher suites allowed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:7
          text: 4. Obtain the list of expired SSL certificates and validate whether.
            tracking and remediation of the expired SSL were performed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-06
      name: Encryption of Data at Rest
      description: Organization restricted data at rest is encrypted.
      annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\
        \ Standard and Data Encryption Standard includes requirements for encrypting\
        \ data at rest.\n2. Where data at rest shall be encrypted as per Data Classification\
        \ and Handling Standard, ensure the following:\na. Ensure encryption is enabled\
        \ along with type of encryption algorithm being used as applicable (e.g. for\
        \ AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases).\n\
        b. Ensure that only strong encryption algorithms mandated by Organization\
        \ Cryptography standard are in use where applicable.\nc. Establish a process\
        \ to periodically check the list of all cloud storage resources and determine\
        \ whether encryption was appropriately applied as applicable."
      typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard

        E-CRY-07 - Data Encryption Standard

        E-CRY-14 - Sample confirmation on databases/storage location list

        E-CRY-16 - List of cloud storage resources

        E-CRY-15 - Evidence of encryption enabled'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:1
          text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\
            \ and Cryptography Standard to determine whether requirements for encrypting\
            \ restricted data at rest have been defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:2
          text: '2. Obtain confirmation from teams that storage of data is in place.
            For services storing restricted data at rest, obtain and inspect the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:3
          text: a. List of all databases/storage locations (AWS/Azure Databases, On
            prem databases, etc.) where data is stored at rest.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:4
          text: b. For all the above locations, obtain evidence showing that encryption
            is enabled along with the type of encryption algorithm being used as applicable
            (e.g. for AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases)
            to ensure that only strong encryption algorithms mandated by Organization
            Cryptography standard are in use where applicable.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:5
          text: c. Obtain the list of all cloud storage resources and determine whether
            encryption was appropriately applied as applicable.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-07
      name: Approved Cryptographic Technology
      description: Where applicable, strong industry standard cryptographic ciphers
        and keys with an effective strength greater than 112 bits are required for
        cryptographic security operations.
      annotation: '1. Ensure that the encryption is enabled along with type of encryption
        algorithm being used as applicable (e.g. for AWS S3 - AWS SSE-KMSetc., full
        disk encryption for on prem databases).

        2. Ensure that strong industry standard cryptographic ciphers and keys with
        an effective strength greater than 112 bits are required for cryptographic
        security operations.'
      typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard

        E-CRY-07 - Data Encryption Standard'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:1
          text: 1. Validate evidence showing that encryption is enabled along with
            type of encryption algorithm being used as applicable (e.g. for AWS S3
            - AWS SSE-KMSetc., full disk encryption for on prem databases) to ensure
            that only strong encryption algorithms mandated by Organization Cryptography
            standard are in use where applicable.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:2
          text: 2. Validate whether the keys have a strength greater than 112 bits
            for cryptographic security operations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-08
      name: Key Repository Access
      description: Access to the cryptographic keystores is limited to authorized
        personnel.
      annotation: 1. Ensure that the access lists of the key repositories have authorized
        users and reviewed periodically.
      typical_evidence: E-CRY-17 - Access List of Key Repository
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08:question:1
          text: 1. Inspect the access lists of the key repositories and ensure that
            the users listed are authorized and reviewed previously.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-09
      name: Key Store Review
      description: Management reviews and authorizes key store locations.
      annotation: '1. Establish a process to review key management services to ensure
        that they are still authorized key stores.

        2. The list of authorized key stores shall be reviewed periodically.'
      typical_evidence: E-CRY-18 - Review history of authorized key stores list
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:1
          text: 1. Inspect and review key management services to ensure that they
            are still authorized key stores.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:2
          text: 2. Review the list of authorized key stores and their last date of
            review.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-10
      name: Full Disk Encryption Access
      description: Where full disk encryption is used, logical access must be managed
        independently of operating system authentication; decryption keys must not
        be associated with user accounts.
      annotation: '1. Ensure that the decryption keys are stored in a Trusted Platform
        Module (TPM).

        2. Ensure that the decryption keys are not stored as plain text in insecure
        storage locations.'
      typical_evidence: 'E-CRY-19 - Process documentation for Decryption key storage

        '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:1
          text: 1. Confirm that the decryption keys are stored in a Trusted Platform
            Module (TPM).
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:2
          text: 2. Confirm that the decryption keys are not stored as plain text in
            insecure storage locations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-11
      name: Key Custodians Agreement
      description: "Cryptographic Key Custodians\_and\_Cryptographic Materials Custodians\
        \ (CMC) acknowledge in writing or electronically that they understand and\
        \ accept their cryptographic-key-custodian responsibilities."
      annotation: 1. Ensure that Key Custodian Acknowledgements are signed by cryptographic
        key custodians, which will provide assurance of appropriate acknowledgement
        to the key custodian responsibilities.
      typical_evidence: E-CRY-20 - Sample of signed Key Custodian Acknowledgements
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11:question:1
          text: 1. Obtain and inspect a sample of signed Key Custodian Acknowledgements
            to validate that cryptographic key custodians have appropriately acknowledged
            their key custodian responsibilities.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-12
      name: Approved Certificate Authorities
      description: Organization restricts the use of digital certificates to those
        that are signed by approved certificate authorities; a certification path
        to an accepted trust anchor is established.
      annotation: 1. Establish a process for executing periodic SSL tests to ensure
        that only digital certificates that are signed by approved certificate authorities
        are accepted.
      typical_evidence: E-CRY-21 - Sample of SSL Test results
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:1
          text: 1. Observe a sample of servers and review their SSL test.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:2
          text: 2. Observe the SSL test and confirm that only digital certificates
            that are signed by approved certificate authorities are accepted.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-13
      name: 'Installation of Software: Certificate Verification'
      description: Digital Certificates are verified by information system components
        prior to installation on the production network.
      annotation: 1. Establish a process for executing periodic SSL tests and configuration
        files to ensure that digital certificates are verified prior to installation
        on production networks.
      typical_evidence: 'E-CRY-21 - Sample of SSL Test results

        E-CRY-22 - SSL Configuration Files'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:1
          text: 1. Observe a sample of servers and review their SSL test.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:2
          text: 2. Observe the SSL test and configuration files and ensure that digital
            certificates are verified prior to installation on production networks.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-14
      name: Public Key Infrastructure-based Authentication
      description: Information systems are configured to follow an established certification
        path to an accepted trust anchor; in the case of network failure, a local
        cache of revocation data is maintained to support validation.
      annotation: 1. Establish a process for executing periodic SSL tests to ensure
        that the identified Certificate authority is authorized to act as a trust
        anchor.
      typical_evidence: E-CRY-21 - Sample of SSL Test results
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:1
          text: 1. Observe a sample of servers and domains and review their SSL test.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:2
          text: 2. Observe the Certificate authority and ensure that it is an authorized
            to act as a trust anchor.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55
      ref_id: CRY-15
      name: Software Signing
      description: "Organization uses a software signing infrastructure to restrict\
        \ access to organization\u2019s code signing private keys used to sign organization\
        \ authorized software builds."
      annotation: '1. Ensure that a process is defined and documented for software
        signing.

        2. Ensure that the private keys used for software signing are accessible only
        to a restricted set of personnel.'
      typical_evidence: 'E-CRY-23 - Software Development Lifecycle Policy


        E-CRY-24 - Configuration evidence for accessing software signing keys'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            software signing.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:2
          text: 2. Validate whether the private keys used for software signing are
            accessible only to a restricted set of personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:3
          text: 3. Validate that periodic access reviews are performed for these keys.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      assessable: false
      depth: 1
      name: Data Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-01
      name: Data Classification Criteria
      description: Organization's data classification criteria are periodically reviewed,
        approved by management, and communicated to authorized personnel; the data
        security management team determines the treatment of data according to its
        designated data classification level.
      annotation: '1. Ensure that a Data Classification Criteria is defined and documented.

        2. Ensure that this criteria is reviewed and approved periodically and appropriate
        documentation for the review is retained.

        3. Ensure that a process is defined and implemented to ensure data is treated
        according to its data classification level. '
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-02 - Periodic Review Records

        E-DM-03  - '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:1
          text: "1. Inspect Organization's policy and/or standard to determine whether\
            \ Organization\u2019s data classification criteria is defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:2
          text: 2. Inspect whether the criteria is periodically reviewed and approved
            by the management.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:3
          text: 3. Validate using sample testing that data is categorized and treated
            according to its data classification level and defined controls.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-02
      name: Data Inventory
      description: Organization should identify, label and classify Data based on
        the Data Classification Criteria.
      annotation: '1. Ensure that a process for identifying data is defined and documented
        in the organization.

        2. Ensure that the data is labelled and classified as per the Data Classification
        criteria.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-03  - '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:1
          text: 1. Inspect and validate in the Organization's policy and/or standard
            whether a process for identifying data is defined in the organization.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:2
          text: 2. Validate for a sample of data, that it is labelled and classified
            as per the Data Classification criteria.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-03
      name: Terms of Service
      description: Consent is obtained for Organization's Terms of Service (ToS) prior
        to collecting personal information and when the ToS is updated.
      annotation: '1. Ensure that organizations Terms of Service are defined and documented.

        2. Ensure that a process is defined for updating the Terms of Service which
        includes recapturing of consent.

        3. Ensure that the consent is taken for the Terms of Service prior to collecting
        personal information.'
      typical_evidence: 'E-DM-04 - Terms of Service

        E-DM-05 - Consent Records

        E-DM-06 - Terms of Service Update Process'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:1
          text: 1. Inspect and validate whether Terms of Service are defined and documented
            for the organization.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:2
          text: 2. Inspect whether the Terms of Service are updated periodically and
            ensure that consent is recaptured after updates.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:3
          text: 3. For sample of customers validate whether consent was obtained before
            collection of personal information.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-04
      name: Personal Information Access Requests
      description: In accordance with Organization policy, upon request, authenticated
        individuals are provided with a copy of their personal information or disclosures
        of their personal information in an understandable form and within the defined
        timeframe.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        for requesting a copy of personal information.

        2. Ensure that on request a copy of personal information is provided to authenticated
        individuals as per the policy.

        3. Ensure that the information is provided in an understandable form and in
        a timely manner as per the policy'
      typical_evidence: 'E-PRIV-01 - Privacy Policy

        E-DM-07 - Data Access Request Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:1
          text: 1. Inspect and validate whether a documented process is defined, and
            communicated for requesting a copy of personal information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:2
          text: 2. Validate whether on request a copy of personal information was
            provided to authenticated individuals.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:3
          text: 3. Validate that the information was provided in an understandable
            form and in a timely manner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-05
      name: Personal Information Deletion Requests
      description: In accordance with Organization policy, Organization processes
        requests for the deletion of personal information.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        for requesting deletion of personal information.

        2. Ensure that on request personal information is deleted as per the policy.'
      typical_evidence: 'E-PRIV-01 - Privacy Policy

        E-DM-08 - Data Deletion Request Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:1
          text: 1. Inspect and validate whether a documented process is defined, and
            communicated for requesting deletion of personal information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:2
          text: 2. Validate whether on request personal information was deleted as
            per organization's policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-06
      name: External Privacy Inquiries
      description: In compliance with Organization policy, Organization reviews privacy-related
        inquiries, complaints, and disputes.
      annotation: '1. Ensure that a process is defined, documented and communicated
        for review of privacy-related inquiries, complaints, and disputes.

        2. Ensure that these inquiries, complaints, and disputes are addressed in
        a timely and well communicated manner.'
      typical_evidence: 'E-PRIV-01 - Privacy Policy

        E-DM-09 - Privacy inquiry Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:1
          text: 1. Inspect and validate whether a documented process is defined, and
            communicated for review of privacy-related inquiries, complaints, and
            disputes.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:2
          text: 2. Validate for a sample whether these inquiries, complaints, and
            disputes are addressed in a timely and well communicated manner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-07
      name: Test Data Sanitization
      description: Restricted data is redacted prior to use in a non-production environment.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        for redacting or not using production data in test environments.

        2. Ensure that sufficient tools and processes exists for creation of dummy
        test data for testing purposes.'
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-DM-10 - Sample Test Data'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:1
          text: 1. Inspect and validate whether a documented process is defined, and
            communicated for redacting or not using production data in test environments.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:2
          text: 2. Validate for a sample, whether any production data is used in test
            environments.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:3
          text: 3. Validate how test data is generated and used for testing.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-08
      name: Personal Information Updates
      description: Organization allows authenticated users to review and update their
        personal information.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        regarding access and update to personal information.

        2. Ensure that appropriate justifications are provided for any denied access
        or update requests.

        3. Ensure that a process is defined, documented, and communicated for appealing
        the denial of access or update request.'
      typical_evidence: 'E-DM-11 - Access or update process document

        E-DM-12 - Personal information access/update request records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:1
          text: 1. Inspect and validate whether a documented process exists regarding
            access and update to personal information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:2
          text: 2. Validate that for any denied access or update requests, appropriate
            justifications were provided.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:3
          text: 3. Inspect and validate whether a documented process exists for appealing
            the denial of access or update request.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:4
          text: 4. Ensure that the access or update request process is well communicated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-09
      name: Credit Card Data Restrictions
      description: Organization does not store full track credit card data, credit
        card authentication information, credit card verification code, or credit
        personal identification number (PIN) which Organization processes for payment.
      annotation: '1. Ensure that a process is defined and documented for redaction
        of credit card data.

        2. Ensure that the organization does not store full track credit card data,
        credit card authentication information, credit card verification code, or
        personal identification number (PIN).'
      typical_evidence: E-DM-13 - Database Screenshots
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09:question:1
          text: 1. Validate that full credit card track data and sensitive authentication
            data is not stored in the databases of the Organization.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-10
      name: Primary Account Number Data Restrictions
      description: Organization restricts primary account number (PAN) data such that
        only the first six and last four digits are displayed; authorized users with
        a legitimate business need may be provided the full PAN.
      annotation: '1. Ensure that a process is defined and documented for redaction
        of credit card data.

        2. Ensure that the organization restricts primary account number (PAN) data
        such that only the first six and last four digits are displayed.

        3. Ensure that a process is defined to provide full PAN to authorized users
        with a legitimate business need.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-13 - Database Screenshots

        E-DM-14 - PAN authorization records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:1
          text: 1. Inspect and validate whether a documented process exists for redaction
            of credit card data.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:2
          text: 2. Validate that primary account number is stored such that only the
            first six and last four digits are displayed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:3
          text: 3. Inspect and validate whether a documented process exists to provide
            full PAN to authorized users with a legitimate business need.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-11
      name: Personal Information Inventory
      description: Organization maintains a documented inventory of media containing
        personal information.
      annotation: '1. Ensure that an inventory of media containing personal information
        is documented, approved, and communicated to appropriate stakeholders.

        2. Ensure that this inventory is reviewed and update periodically.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-15 - Personal Information Media Inventory'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:1
          text: 1. Inspect and validate whether an inventory of media containing personal
            information is formally documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:2
          text: 2. Ensure that a process is defined to review and update the inventory
            periodically.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-12
      name: Changes to Data at Rest
      description: Organization uses mechanisms to detect direct changes to the integrity
        of customer data and personal information; Organization takes action to resolve
        confirmed unauthorized changes to data.
      annotation: '1. Ensure that a process is defined and documented to detect unauthorized
        changed to customer data.

        2. Ensure that appropriate alerts are sent and actions are taken to resolve
        unauthorized changes.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-16 - Integrity Checks'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:1
          text: 1. Inspect and validate that a process is defined and documented to
            detect unauthorized changed to customer data.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:2
          text: 2. Validate whether alerts are sent and actions were taken to resolve
            unauthorized changes.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-13
      name: Data Processing Integrity
      description: System checks are in place to ensure both complete and accurate
        capture of data in process.
      annotation: '1. Ensure that a process is defined and documented for ensuring
        data integrity in transit and at rest

        2. Ensure appropriate tests are used to check checksums or hashes to ensure
        data integrity.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-16 - Integrity Checks'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:1
          text: 1. Inspect and validate that a process for ensuring data integrity
            in transit and at rest is defined and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:2
          text: 2. Validate and inspect the tests used to check checksums or hashes
            to ensure data integrity
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-14
      name: Secure Disposal of Media
      description: Organization securely erases media containing decommissioned restricted
        data and obtains a certificate or log of erasure; media pending erasure are
        stored within a secured facility.
      annotation: '1. Ensure that requirements for destroying media containing decommissioned
        restricted data are defined and documented.

        2. Ensure that the requirements for maintaining a log of such activities is
        defined.

        3. Ensure that appropriate records are maintained for such activities.

        4. Ensure a security facility is designated to store such media prior to erasure.

        5. Ensure a certificate of erasure is obtained for such media post erasure
        completion.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-17 - Media Erasure records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:1
          text: 1. Inspect and validate whether requirements for destroying media
            containing decommissioned restricted data are defined and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:2
          text: 2. Inspect and validate that the requirements for maintaining a log
            of such activities is defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:3
          text: 3. Validate that appropriate records are maintained for such activities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:4
          text: 4. For a sample of records, validate that a certificate of erasure
            was obtained for such media post erasure completion.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-15
      name: Customer Data Retention and Deletion
      description: Organization purges or archives data according to customer requests
        or legal and regulatory mandates.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        for requesting deletion or archival of personal information.

        2. Ensure that on customer''s request or as per legal/regulatory mandates,
        personal information is deleted/archived as per the policy.'
      typical_evidence: 'E-PRIV-01 - Privacy Policy

        E-DM-08 - Data Deletion Request Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:1
          text: 1. Inspect and validate whether a documented process is defined &
            communicated for requesting deletion/archival of personal information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:2
          text: 2. Validate whether on customer's request or as per legal/regulatory
            mandates personal information is deleted/archived as per the policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-16
      name: Removal of PHI from Media
      description: Organization removes electronic protected health information from
        electronic media if the media is made available for re-use.
      annotation: '1. Ensure that a process is defined and documented for removal
        of Protected Health Information from electronic media if the media is made
        available for reuse.

        2. Ensure that validation is done to ensure that no protected health information
        exists on the media before reuse.'
      typical_evidence: E-DM-01 - Data Management Policy
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            removal of Protected Health Information from electronic media if the media
            is made available for reuse.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:2
          text: 2. Inspect whether validation is done to ensure that no protected
            health information exists on the media before reuse.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-17
      name: 'Secure Disposal of Media: Testing'
      description: Organization tests sanitization procedures and equipment annually
        for effectiveness.
      annotation: '1. Ensure that a process is defined and documented for testing
        of sanitization procedures.

        2. Ensure that the sanitization procedures are tested annually and appropriate
        records are maintained.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-18 - Sanitization Procedures Testing Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            testing of sanitization procedures.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:2
          text: 2. Validate whether the sanitization procedures were tested annually.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-18
      name: Personal Information Retention and Deletion
      description: Organization retains and deletes personal information from Organization
        and service provider systems in accordance with Organization policy.
      annotation: '1. Ensure that a process is defined and documented for retention
        and deletion of personal information.

        2. Ensure that the personal information is retained and deleted as per the
        process from organization and service provider systems.'
      typical_evidence: "E-DM-01  - \nE-DM-19 - Personal Information Deletion Records"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            retention and deletion of personal information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:2
          text: 2. Validate whether the personal information was retained and deleted
            as per the process.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-19
      name: Temporary Storage of Personal Information
      description: Temporary files and documents containing personal information are
        deleted in accordance with a timeframe consistent with Organization policy.
      annotation: '1. Ensure that a process is defined and documented for deletion
        of temporary files.

        2. Ensure that temporary files are deleted within a defined timeframe as per
        the process.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-20 - Temporary Files deletion configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            deletion of temporary files.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:2
          text: 2. Validate the configuration for deletion of temporary files and
            ensure that the timeframe is as per the process.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-20
      name: Social Media
      description: Sharing Organization restricted data via messaging technologies,
        social media, and public websites is prohibited.
      annotation: '1. Ensure that a process is defined, documented, and communicated
        which prohibits sharing of restricted data via messaging technologies, social
        media, and public websites.

        2. Ensure that appropriate mechanisms are in place to detect such activities.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-21 - Sample Alerts showcasing restricted data via public websites is
        prohibited'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:1
          text: 1. Inspect and validate whether a process is defined, documented and
            communicated which prohibits sharing of restricted data via messaging
            technologies, social media, and public websites.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:2
          text: 2. Validate whether appropriate mechanisms are in place to detect
            such activities and alerts are generated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-21
      name: Publicly Accessible Content
      description: 'Organization protects its public information system presence with
        the following processes: only authorized and trained individuals may post
        public information, content is reviewed prior to publishing, information on
        public systems is reviewed periodically, and non-public information is removed
        from public systems upon discovery.'
      annotation: '1. Ensure that a process is defined, documented, and communicated
        regarding publishing of information on public websites.

        2. Ensure public information is reviewed periodically.

        3. Ensure appropriate process is defined for removing non-public information
        from public websites.

        4. Ensure appropriate access control exists for posting information on public
        websites.'
      typical_evidence: 'E-DM-01 - Data Management Policy

        E-DM-23 - Configuration for posting on Public Websites'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:1
          text: 1. Inspect and validate whether a process is defined, documented,
            and communicated regarding publishing of information on public websites.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:2
          text: 2. Validate whether public information is reviewed periodically.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:3
          text: 3. Validate the process for removing non-public information from public
            websites.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:4
          text: 4. Validate that appropriate access control exists for posting information
            on public websites.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71
      ref_id: DM-22
      name: Data Loss Prevention
      description: Data loss prevention capabilities are implemented to protect sensitive
        information as it is stored, transmitted, and processed.
      annotation: '1. Ensure that Data Loss Prevention solution is enabled on systems
        to protect sensitive data as it is stored, transmitted, and processed.

        2. Ensure appropriate alerts are sent and actions are taken to remediate any
        deviations.'
      typical_evidence: 'E-DM-22 - DLP Configuration

        E-DM-21 - Sample Alerts showcasing restricted data via public websites is
        prohibited'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:1
          text: 1. Validate whether that Data Loss Prevention solution is enabled
            on a sample system.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:2
          text: 2. Validate whether appropriate alerts are sent and actions are taken
            to remediate any deviations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      assessable: false
      depth: 1
      name: Entity Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-01
      name: Board of Directors Structure and Purpose
      description: "The Board of Directors provides corporate oversight, strategic\
        \ direction, and review of management for Organization. The Board of Directors\
        \ meets at least quarterly and has 3 sub-committees: \n\u2022 Audit Committee\n\
        \u2022 Executive Compensation and Nominating Committee\n\u2022 Governance\
        \ Committee"
      annotation: '1. Document the Board of Directors responsibilities and members
        within a charter.

        2. Ensure Board of Directors meet at least quarterly, and document meeting
        minutes of each meeting.

        3. Ensure Board of directors have at least 3 sub-committees defined and formed,
        audit committee, executive compensation and nominating committee, and governance
        committee.'
      typical_evidence: 'E-EM-01 - Board of directors charter

        E-EM-02 - Board of directors meetings minutes'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:1
          text: 1. Inspect that the board of directors information in the form of
            Charter is available on the Organization governance website.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:2
          text: '2. Validate that board of directors meet at least quarterly to provide
            corporate oversight and have at least 3 sub-committees defined: audit
            committee, executive compensation and nominating committee, and governance
            committee.'
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-02
      name: Audit Committee
      description: "The Audit Committee is governed by a Charter, is independent from\
        \ Organization Management, composed of outside directors (Industry Experts),\
        \ and meets quarterly. The Audit Committee oversees: \n\u2022Financial Statement\
        \ Quality \n\u2022Enterprise Risk Management\n\u2022Regulatory & Legal Compliance\n\
        \u2022Internal Audit Functions\n\u2022Information Security Functions\n\u2022\
        External Audit Functions"
      annotation: '1. Ensure documented information on the Audit Committee and Audit
        Committee Charter is created.

        2. Ensure that the audit committee is independent and meets quarterly as defined
        within the charter. Document the most recent meeting in the form of an audit
        committee minutes.

        3. Ensure that the audit committee includes outside directors (industry experts).

        4. Ensure audit committee reviews financial statement quality, enterprise
        risk management, regulatory & legal compliance, internal and external audit
        function, and information security functions.

        5. Follow up on any open items from previous audit committee meetings to ensure
        they are being worked on and closed out.'
      typical_evidence: 'E-EM-03 - List of members on the audit committee

        E-EM-04 - Audit committee charter

        E-EM-05 - Audit Committee meeting minutes

        E-EM-06 - Evidence of follow up items or action plans'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:1
          text: 1. Inspect the Charter of the Audit Committee of the Board of Directors
            and meeting minutes to determine whether the Audit Committee is independent
            from management, and is composed of outside directors.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:2
          text: '2. Validate that the audit committee is independent and meets quarterly
            as defined within the charter. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:3
          text: 3. Inspect the minutes of meeting audit committee.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:4
          text: 4. Validate meeting minutes to ensure that financial statement quality,
            enterprise risk management, regulatory & legal compliance, internal and
            external audit function, and information security functions were reviewed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-03
      name: Organizational Structure
      description: Organization Management ensures that its organization is aligned
        with the corporate strategy by assigning key managers with responsibilities
        to execute the corporate strategy.
      annotation: '1. Ensure the organization has defined and documented a corporate
        strategy including the responsibilities for key managers.

        2. Ensure the strategy is available to the respective stakeholder and is communicated
        effectively.'
      typical_evidence: E-EM-07 - Documented corporate strategy in the Information
        Security policy
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:1
          text: 1. Validate and ensure that the organization has established and documented
            the strategy with the responsibilities for key managers.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:2
          text: 2. Inspect whether the strategy is available to the respective stakeholder
            and is communicated effectively.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-04
      name: Operating Plans
      description: Annual operating plans are aligned with Corporate Objectives, which
        are established on an annual basis during the Company's planning process.
        Priorities are set and plans are communicated appropriately.
      annotation: "1. Ensure that operating plans are established. \n2. Ensure that\
        \ these plans are updated and approved on an annual basis.\n3. Ensure priorities\
        \ are set and plans are communicated to the respective stakeholders."
      typical_evidence: 'E-EM-08 - Operating plan procedure/process

        E-EM-09 - Evidence showcasing the plans are communicated to the stakeholders
        (MOM)'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:1
          text: 1. Inspect the process of operating plans creation and update.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:2
          text: 2. Validate that the corporate strategy is an input to operating plans
            update process.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:3
          text: 3. Validate whether the plans are updated and approved at least annually
            and communicated to the stakeholders.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-05
      name: Cyber Security Insurance
      description: Organization purchases cyber security insurance to mitigate risk
        of material financial impact that could result from a cyber security event.
      annotation: '1. Ensure cyber security insurance is being purchased by the organization
        and is active for the audit period.

        2. Ensure that a process is created for renewal of Cyber Security Insurance.'
      typical_evidence: E-EM-10 - Latest Cyber Security Insurance
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05:question:1
          text: 1. Obtain and inspect the latest cyber security insurance to verify
            that the insurance policy is active for the audit period.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-06
      name: Internal Audit Function
      description: Quarterly, the Chief Audit Executive meets with the Audit Committee
        to review key risk issues. The Audit Committee approves the annual Internal
        Audit Plan. Results of quarterly audits and subsequent issue tracking summaries
        are presented to the Audit Committee.
      annotation: '1. Ensure key risk issues shall be reviewed at least quarterly
        by the audit committee and document the issues identified along with the plan
        of action for risk remediation.

        2. Ensure the Internal audit plan is annually approved by the audit committee.

        3. Ensure results of quarterly audits and issues identified as a part of audit
        are presented to the Audit Committee.'
      typical_evidence: 'E-EM-11 - Latest MOM of audit committee

        E-EM-12 - Internal audit plan

        E-EM-13 - Internal audit report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:1
          text: 1. Inspect Minutes of audit committee meeting and validate that it
            highlights the key risks identified, plan of action along with the timeline.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:2
          text: ' '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:3
          text: 2. Check internal audit plan to ensure it was approved by the audit
            committee.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:4
          text: 3. Inspect and validate whether results of quarterly audits are presented
            to the audit committee.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-07
      name: Financial Control Review
      description: Internal financial control assessment results are reported to the
        Audit Committee by the Chief Audit Executive on a quarterly basis and support
        the CEO/CFO 302/404 certifications.
      annotation: 1. Ensure Chief Audit committee shall report the internal financial
        control assessment results to the Audit Committee on a quarterly basis.
      typical_evidence: E-EM-14 - Minutes of meeting showcasing the Internal financial
        control assessment results
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07:question:1
          text: 1. Inspect Minutes of the audit committee meeting to ensure internal
            financial control assessment results are discussed and reported on a quarterly
            basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-08
      name: Information Security Function
      description: Quarterly, the Chief Security Officer meets with the Audit Committee
        to review key Information Security issues. Results of continuous monitoring
        activities and current security compliance status are presented to the Audit
        Committee and the Board of Directors.
      annotation: '1. Ensure audit committee reviews the Information security issues
        at least quarterly and document the issues identified along with the plan
        of action for risk remediation.

        2. Ensure Minutes of Meetings to be documented stating the compliance status.

        3. Ensure results of continuous compliance activities and current compliance
        status are reported to the Audit Committee and the Board of Directors in the
        form of PowerPoints, documents, etc.'
      typical_evidence: E-EM-15 - Minutes of meeting showcasing the security compliance
        status and issues identified
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:1
          text: 1. Validate whether information security issues are reviewed at least
            quarterly by the audit committee along with remediation plans.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:2
          text: 2. Inspect minutes of audit committee meeting with chief security
            officer to ensure security compliance status along with the continuous
            monitoring of action plan is discussed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-09
      name: Information Security Compliance Review
      description: Information Security compliance results are reported to the Audit
        Committee by the Chief Security Officer on a quarterly basis and support information
        security compliance certifications
      annotation: '1. Ensure Minutes of Meetings to be documented stating the compliance
        results on a quarterly basis.

        2. Ensure results of current security compliance status and issues identified
        as a part of audit are reported to the Audit Committee in the form of PowerPoints,
        documents, etc.'
      typical_evidence: E-EM-16 - Minutes of meeting showcasing the security compliance
        results
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09:question:1
          text: 1. Obtain and inspect evidence that quarterly Information Security
            compliance results were reported to the Audit Committee.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-10
      name: Common Controls Framework
      description: Organization maintains a Common Control Framework (CCF) that is
        used in the implementation of control measures as a risk mitigation strategy
        to support organization operations, technology infrastructure, and security
        management activities.
      annotation: '1. Ensure that a control set is created to govern the organization''s
        information security program.

        2. Document the control set and ensure it is communicated with relevant stakeholders.'
      typical_evidence: E-EM-17 - Organization's control set
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:1
          text: 1. Validate whether a control framework exists for managing the organization's
            information security program.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:2
          text: 2. Ensure that this control set is documented and available to relevant
            stakeholders.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94
      ref_id: EM-11
      name: Service Agreement
      description: "When customers sign-up for Organization\u2019s product and services,\
        \ the customer is required to acknowledge a service agreement which includes\
        \ considerations for protecting security, availability, confidentiality and\
        \ indicates the responsibilities of the users and organization\u2019s responsibilities\
        \ and commitments."
      annotation: '1. Ensure that the customers acknowledge a service agreement including
        considerations for protecting security, availability, confidentiality.

        2. Ensure that the service agreement contains responsibilities of users and
        the organization.'
      typical_evidence: E-EM-18 - Customer service agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:1
          text: 1. Validate whether customers acknowledge a service agreement.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:2
          text: 2. Validate whether the agreement contains considerations for protecting
            security, availability, confidentiality.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:3
          text: 3. Validate whether the agreement contains users and organizations
            responsibilities.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      assessable: false
      depth: 1
      name: Identity and Access Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-01
      name: Logical Access Provisioning
      description: Logical access provisioning to information systems requires approval
        from appropriate personnel.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access provisioning.

        2. Ensure access approval logic is mandated in the access management portal
        accordingly.

        3. Ensure that the access management portal is updated with the relevant approvers.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-02 - Access Management Portal Workflow

        E-IAM-03 - Access Provisioning Logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:1
          text: 1. Inspect Organization Logical Access Policy and/or Standard to determine
            that the requirements for access provisioning were defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:2
          text: 2. Inspect evidence of the workflow from access management portal
            showing access requires approval and is provisioned upon approval.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:3
          text: 3. Inspect the system generated list of identity and access groups
            which are in-scope and associated workgroups with approvers from access
            management portal.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:4
          text: 4. Inspect access provisioning system logs for a selection of users
            who were granted access to production systems.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-02
      name: Change of Access Notification
      description: Changes made to system access trigger a notification that is sent
        to designated personnel.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access modification.

        2. Ensure that any change made to access triggers a notification in the access
        management portal accordingly.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-04 - Access Modification Logs

        E-IAM-05 - Sample alert for Access Modification'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:1
          text: 1. Inspect Organization Logical Access Policy and/or Standard to determine
            the requirements for access provisioning were defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:2
          text: 2. Validate for a sample access change, that a notification in the
            access management portal was triggered to the management.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-03
      name: Logical Access De-provisioning
      description: Logical access that is no longer required in the event of a termination
        is documented, communicated to management, and revoked.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access de-provisioning.

        2. Ensure access termination logic is mandated in the access management portal
        accordingly.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-02 - Access Management Portal Workflow

        E-IAM-07 - Access De-Provisioning Logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:1
          text: "1. Inspect Organization\u2019s Logical Access Account Standard to\
            \ determine whether the requirements for access de-provisioning or terminations\
            \ were defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:2
          text: 2. Inspect the list of system generated population of terminated full-time
            and temporary employees and contractors from the HR system.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:3
          text: 3. Inspect configurations to determine that user accounts are disabled
            after they are no longer required..
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:4
          text: 4. Inspect removals from the access management tool for a selection
            of terminations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-04
      name: 'Logical Access De-provisioning: Notification'
      description: The People Resources system sends a notification to relevant personnel
        in the event of a termination of an information system user.
      annotation: 1. Ensure that on access termination, the access management portal
        triggers a notification to the relevant personnel.
      typical_evidence: 'E-IAM-02 - Access Management Portal Workflow

        E-IAM-06 - Access Termination Logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04:question:1
          text: 1. Inspect resource management portal to check if the relevant stakeholders
            are informed upon an employee's termination of an information system user.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-05
      name: Logical Access Review
      description: Organization performs account and access reviews on a quarterly
        basis; corrective action is taken where applicable.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access reviews.

        2. Ensure access reviews are performed as per defined frequency.

        3. Ensure that the necessary corrective action has been taken, if required.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-08 - Access Review Reconciliation

        E-IAM-09 - Corrective Action in Access Management Portal'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:1
          text: "1. Inspect Organization\u2019s Logical Access Account Standard to\
            \ determine whether the requirements for access reviews were defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:2
          text: 2. Inspect the access reviews reconciliation report on a quarterly
            basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:3
          text: '3. For a sample of services, inspect the access review for the selected
            quarters. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:4
          text: 4. In case of any discrepancy, ensure that corrective action has been
            taken and appropriate approval is obtained from the authorized personnel.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-06
      name: 'Role Change: Access De-provisioning'
      description: Upon notification of an employee reassignment or transfer, management
        reviews the employee's access for appropriateness. Access that is no longer
        required is revoked and documented.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access modification in case of transfer or reassignment.

        2. Ensure access reviews are performed appropriately.

        3. Ensure that the necessary corrective action has been taken, if required.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-08 - Access Review Reconciliation

        E-IAM-09 - Corrective Action in Access Management Portal'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:1
          text: "1. Inspect Organization\u2019s Logical Access Account Standard to\
            \ determine whether the requirements for access modifications were defined\
            \ and includes the case of employee reassignment or transfer."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:2
          text: 2. Inspect the user access reconciliation report to ensure that the
            user access reviews are completed appropriately.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:3
          text: 3. In case of any discrepancy, ensure that corrective action has been
            taken inspect the list of terminated users from the audit period.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:4
          text: 4. For a sample of terminated users, validate that access was terminated
            in a timely and appropriate manner.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-07
      name: Shared Logical Accounts
      description: Organization restricts the use of shared and group authentication
        credentials. Authentication credentials for shared and group accounts are
        reset every 90 days.
      annotation: '1. Design and document a process for Logical Access and requirements
        for rotation of shared credentials.

        2. Ensure that shared secrets were rotated as per the defined policy.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-10 - Shared secret rotation evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:1
          text: 1. Inspect the Logical Access Account Standard to determine whether
            Organization requires the restriction of shared and group authentication
            credentials, and that authentication credentials are rotated
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:2
          text: 2. For a sample of services validate that shared secrets were rotated
            as per the defined policy and appropriate evidences are available.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-08
      name: 'Shared Logical Accounts: Group Member '
      description: Passwords for shared and group accounts are reset when a member
        of the shared group leaves.
      annotation: '1. Design and document a process for Password Policy and requirements
        for changing password of shared and group accounts.

        2. Ensure that the password is changed if a member of the shared group leaves.'
      typical_evidence: 'E-IAM-16 - Password Policy

        E-IAM-11 - Password Change evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:1
          text: 1. Inspect Organization's password policy and check requirement for
            changing the password for shared and group accounts are clearly defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:2
          text: 2. Inspect shared credential storage tools to check the operational
            effectiveness and ensure passwords are changed when a member of the shared
            group leaves.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-09
      name: Shared Account Restrictions
      description: Where applicable, the use of generic and shared accounts to administer
        systems or perform critical functions is prohibited; generic user IDs are
        disabled or removed.
      annotation: '1. Ensure that there are no generic or shared accounts used.

        2. Ensure that production access is controlled and does not use generic or
        shared accounts.'
      typical_evidence: 'E-IAM-12 - List of User IDs

        E-IAM-13 - Access to IAM groups'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:1
          text: 1. Review and ensure that there are no generic or shared accounts.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:2
          text: 2. Validate for a sample of services that production access is controlled
            and is configured to use unique user accounts and that a generic or shared
            ID is not used..
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-10
      name: 'Role Change: People Resources Notification'
      description: The People Resources system sends a notification to relevant management
        and relevant information system administrators in the event of an employee
        reassignment or transfer of an information system user.
      annotation: '1. Design and document a process for Logical Access and requirements
        for access modification in case of transfer or reassignment.

        2. Ensure access management portal sends a notification to concerned personnel.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-02 - Access Management Portal Workflow

        E-IAM-04 - Access Modification Logs

        E-IAM-15 - Configuration showing trigger is configured'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10:question:1
          text: 1. Inspect resource management portal to check if the relevant stakeholders
            are informed upon an event of an employee reassignment or transfer of
            an information system user.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-11
      name: Temporary Account Termination
      description: Temporary and emergency accounts are automatically terminated 90
        days from the date they are generated.
      annotation: '1. Design and document a process for Access control and requirements
        for automatic termination of temporary and emergency accounts.

        2. Ensure that the access management portal is configured to terminate temporary
        and emergency accounts within 90 days.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-14 - Configuration showing 90 days termination'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:1
          text: '1. Inspect Organization''s access control policy to check policy
            pertaining to temporary and emergency accounts are automatically terminated
            90 days from the date they are generated, is clearly defined. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:2
          text: 2. Check the access management tool to ensure the effectiveness of
            termination of temporary and emergency accounts within 90 days..
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-12
      name: Unique Identifiers
      description: Organization requires unique identifiers for user accounts and
        prevents identifier reuse.
      annotation: 1. Ensure unique identifiers are used for user accounts.
      typical_evidence: 'E-IAM-16 - Password Policy

        E-IAM-02 - Access Management Portal Workflow

        E-IAM-17 - Existing User listing'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:1
          text: 1. Inspect Organization's Authentication Standard to determine whether
            unique identifier requirements are documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:2
          text: 2. Perform a walkthrough of user account creation of an existing user
            to determine whether identifier reuse is prevented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:3
          text: 3. Obtain a complete list of existing users with identifiers to determine
            whether same identifier is not used for any two users.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-13
      name: Password Authentication
      description: User and device authentication to privileged information systems
        is protected by passwords that meet Organization's password complexity requirements.
      annotation: 1. Ensure that user and device authentication to privileged information
        systems is protected by passwords that meet Organization's password complexity
        requirements.
      typical_evidence: 'E-IAM-16 - Password Policy

        E-IAM-18 - Password policy from console'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:1
          text: "1. Inspect Organization\u2019s Authentication Standard to determine\
            \ whether the policies contain requirements for the creation, allocation,\
            \ change, distribution, and safeguarding of passwords."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:2
          text: 2. Inspect the accessmanagement tool setting to determine password
            complexity, consecutive re-use, and change frequency requirements of passwords
            is in accordance with organization password complexity requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-14
      name: Multifactor Authentication
      description: "Multi-factor authentication is required for:\n\u2022 remote VPN\
        \ sessions\n\u2022 access to trusted data environments"
      annotation: 1. Ensure remote connection to the corporate network is invoked
        via VPN and VPN in turn invokes Multi-factor authentication
      typical_evidence: 'E-IAM-19 - Remote Access Standard

        E-IAM-20 - VPN Connection walkthrough

        E-IAM-21 - System config for Multi Factor Authentication'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:1
          text: "1. Inspect Organization\u2019s Remote Access Standard to determine\
            \ whether requirements for remotely connecting to the corporate network\
            \ are defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:2
          text: 2. Observe a user remotely connect to the Organization Corporate Network
            via VPN.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:3
          text: 3. Inspect system configuration of VPN software to determine whether
            Multi-factor authentication is required.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:4
          text: 4. Perform a walkthrough of system connecting to Organization network
            remotely via vpn software to determine whether Multi- factor authentication
            is required for remote VPN session.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-15
      name: Authentication Credential Maintenance
      description: Authorized personnel verify the identity of users before modifying
        authentication credentials on their behalf.
      annotation: '1. Document and validate the process of modifying credentials.

        2. Ensure that verification is done before modification'
      typical_evidence: E-IAM-22 - Access Reset process
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:1
          text: 1. Validate the process with the IT Helpdesk at least on an annual
            basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:2
          text: 2. Inspect whether necessary and updated documentation is available
            on the process.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-16
      name: Session Timeout
      description: Information systems are configured to terminate inactive sessions
        after 15 minutes or when the user terminates the session.
      annotation: 1. Ensure that information systems are configured to terminate inactive
        sessions after 15 minutes or when the user terminates the session.
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-23 - Session timeout config for server'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:1
          text: "1. Inspect Organization\u2019s Logical Access Account Standard to\
            \ determine whether the requirements for access reviews were defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:2
          text: 2. Inspect the server samples from the service team.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:3
          text: 3. Select the sample from the listing and inspect session timeout
            configuration
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-17
      name: Session Limit
      description: Information systems are configured to limit concurrent login sessions
        and the inactive user interface is not displayed when the session is terminated.
      annotation: "1. Ensure that the systems are configured to limit concurrent login\
        \ sessions. \n2. Ensure that inactive user interface is not displayed when\
        \ the session is terminated."
      typical_evidence: 'E-IAM-24 - Access Management Policy

        E-IAM-25 - Active Directory Screenshot'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:1
          text: '1. Inspect Organization''s access control policy to check clauses
            pertaining to limited concurrent login sessions and the inactive user
            interface is not displayed when the session is terminated are clearly
            defined. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:2
          text: 2. Check logical access systems to ensure the effectiveness for the
            same.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-18
      name: 'Account Lockout: Cardholder Data Environments'
      description: Users are locked out of information systems after 6 invalid attempts
        for a minimum of 30 minutes, or until an administrator enables the user ID.
      annotation: 1. Ensure that user lock out parameters are defined and implemented
        to lockout after 6 invalid attempts for minimum 30 minutes.
      typical_evidence: 'E-IAM-16 - Password Policy

        E-IAM-26 - Account lockout parameters'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:1
          text: "1. Inspect Organization\u2019s Authentication Standard to determine\
            \ whether the policies contain requirements for the account lockout post\
            \ failed login attempts."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:2
          text: 2. Inspect the logical access systems setting to determine that account
            lockout policy is configured with Organization password requirements to
            lock a user's account after 6 failed attempts for a minimum of 30 minutes
            or until it is reset by a System Administrator
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-19
      name: Account Lockout
      description: Users are locked out of information systems after multiple, consecutive
        invalid attempts within a defined period; accounts remain locked for a defined
        period.
      annotation: 1. Ensure that user lock out parameters are defined and implemented
      typical_evidence: 'E-IAM-16 - Password Policy

        E-IAM-26 - Account lockout parameters'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:1
          text: '1. Inspect Organization''s access control policy to check clauses
            pertaining to accessing system by multiple failed attempts are clearly
            defined. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:2
          text: 2. Check check logical access systems to ensure the effectiveness
            for the same.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-20
      name: Login Banner
      description: "Systems leveraged by the U.S. Federal Government present a login\
        \ screen that displays the following language:\n\u2022 users are accessing\
        \ a U.S. Government information system\n\u2022 system usage may be monitored,\
        \ recorded, and subject to audit\n\u2022 unauthorized use of the system is\
        \ prohibited and subject to criminal and civil penalties\n\u2022 use of the\
        \ system indicates consent to monitoring and recording"
      annotation: "1. Ensure that the Systems leveraged by the U.S. Federal Government\
        \ present a login screen that displays the following language:\n\u2022 users\
        \ are accessing a U.S. Government information system\n\u2022 system usage\
        \ may be monitored, recorded, and subject to audit\n\u2022 unauthorized use\
        \ of the system is prohibited and subject to criminal and civil penalties\n\
        \u2022 use of the system indicates consent to monitoring and recording"
      typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:1
          text: '1. Inspect and validate for a sample system that Systems leveraged
            by the U.S. Federal Government present a login screen that displays the
            following language:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:2
          text: "\u2022 users are accessing a U.S. Government information system"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:3
          text: "\u2022 system usage may be monitored, recorded, and subject to audit"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:4
          text: "\u2022 unauthorized use of the system is prohibited and subject to\
            \ criminal and civil penalties"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:5
          text: "\u2022 use of the system indicates consent to monitoring and recording"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-21
      name: Credentials Validation
      description: "Organization systems utilize Federal Identity, Credential, and\
        \ Access Management (FICAM) components and conform to FICAM-issued profiles;\
        \ systems verify and accept the following external credentials:\n\u2022 personal\
        \ Identity Verification (PIV) credentials from federal agencies, and\n\u2022\
        \ FICAM-approved credentials from non-federal third-parties\n"
      annotation: '1. Ensure that the organization uses Federal Identity, Credential,
        and Access Management (FICAM) components and conform to FICAM-issued profiles
        for Federal Systems.

        2. Ensure that the organization accepts personal Identity Verification (PIV)
        credentials from federal agencies and FICAM-approved credentials from non-federal
        third-parties'
      typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:1
          text: 1. Inspect and validate whether the organization uses Federal Identity,
            Credential, and Access Management (FICAM) components and conform to FICAM-issued
            profiles for Federal Systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:2
          text: 2. Validate that the organization accepts personal Identity Verification
            (PIV) credentials from federal agencies and FICAM-approved credentials
            from non-federal third-parties
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-22
      name: 'Password Authentication Standard: Federal Systems'
      description: "Organization information systems obscure feedback of authentication\
        \ information during the authentication process (e.g., the system does not\
        \ disclose error information such as \"'user1' is not a valid username\")\
        \ and have the following password requirements:\n\u2022 minimum of 12 characters\n\
        \u2022 contains at least one upper-case letter, lower-case letter, number,\
        \ and a special character\n\u2022 at least one of the characters is changed\
        \ when the new passwords are created.\n\u2022 the password life span is between\
        \ 1 to 60 days\n\u2022 password reuse is prohibited for 24 generations\n\u2022\
        \ only allow the use of temporary password system logons with an immediate\
        \ change to a permanent password"
      annotation: "1. Ensure that failed authentication notes do not contain any error\
        \ information.\n2. Ensure that the password policy in the logical access system\
        \ is defined as below: \n-Minimum 12 character length\n-Password complexity\
        \ has one upper-case, lower-case, and a special character\n-Temporary Passwords\
        \ are immediately changed to a permanent password\n-Passwords cannot be the\
        \ same as the last 24 passwords\n-Passwords must be rotated at least every\
        \ 60 days"
      typical_evidence: 'E-IAM-28 - Sample error information

        E-IAM-18 - Password policy from console'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:1
          text: 1. Inspect that failed authentication notes do not contain any error
            information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:2
          text: '2. Inspect that the password policy in the logical access system
            and ensure that it is defined as below: '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:3
          text: -Minimum 12 character length
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:4
          text: -Password complexity has one upper-case, lower-case, and a special
            character
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:5
          text: -Temporary Passwords are immediately changed to a permanent password
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:6
          text: -Passwords cannot be the same as the last 24 passwords
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:7
          text: -Passwords must be rotated at least every 60 days
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-23
      name: Privileged Session Management
      description: Privileged logical access to trusted data environments is enabled
        through an authorized session manager; session user activity is recorded and
        tunnelling to untrusted data environments is restricted.
      annotation: '1. Ensure Privileged logical access to trusted data environments
        is enabled through an authorized session manager.

        2. Ensure session user activity is recorded and documented.

        3. Tunnelling to untrusted data environments is restricted.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-29 - Authorized session manager evidence

        E-IAM-30 - List of privileged users

        E-IAM-31 - Access approval evidence

        E-IAM-32 - Tunneling restriction config evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:1
          text: '1. Observe user access management process for managing privileged
            access to trusted data environments in accordance with organization policies
            and verify the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:2
          text: "\u2022 Creation and allocation of privileged user accounts/IDs on\
            \ the information systems is controlled through a formal authorization\
            \ process."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:3
          text: "\u2022 Privilege access to trusted data environments are enabled\
            \ through an authorized session manager"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:4
          text: "\u2022 Privileged access rights are allocated to users on a time\
            \ bound need-to-use basis and on an event-by-event basis in line with\
            \ the access control policy, i.e. based on the minimum requirement for\
            \ their functional roles and shall be revoked post that defined time period;"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:5
          text: "\u2022 All session user activities are recorded and tunnelling to\
            \ untrusted data environments is restricted"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:6
          text: 2.  Inspect list of users that have privileged logical access to trusted
            data environments.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:7
          text: 3. For a sample of user, inspect evidence of screenshot showing privilege
            access to trusted data environments is granted by authorized session manager.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:8
          text: 4. Inspect configuration showing that session recording for user activity
            is recorded.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:9
          text: 5. Inspect configuration showing that tunneling to untrusted data
            environments is restricted.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-24
      name: Zero Trust Enterprise Network
      description: Organization users are authenticated against a Zero Trust model
        prior to gaining access to organization resources.
      annotation: '1. Ensure that a process is defined and documented for the organization''s
        zero trust architecture.

        2. Ensure that a zero trust access authorization infrastructure is effectively
        operating for accessing organization''s resources.'
      typical_evidence: 'E-IAM-24 - Access Management Policy

        E-IAM-33 - Zero Trust Implementation Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            the organization's zero trust architecture.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:2
          text: 2. Validate whether all access to organization's resources are via
            a zero trust method.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-25
      name: Logical Access Role Permission Authorization
      description: Initial permission definitions, and changes to permissions, associated
        with logical access roles are approved by authorized personnel.
      annotation: '1. Ensure that access to systems is granted after appropriate approvals.

        2. Ensure that production access is controlled via authentication methods.'
      typical_evidence: 'E-IAM-12 - List of User IDs

        E-IAM-34 - Access grant evidences

        E-IAM-35 - Production access authentication'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:1
          text: 1. Observe and validate for a sample user, that the access to the
            systems was approved by the appropriate party based on the business need.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:2
          text: 2. Validate for a sample of services, that production access is controlled
            via appropriate authentication methods and is configured to use appropriate
            logical access lists.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-26
      name: Source Code Security
      description: Access to modify source code is restricted to authorized personnel.
      annotation: 1. Ensure that access to modify source code is restricted to authorized
        personnel.
      typical_evidence: 'E-IAM-36 - Source Code access restrictions

        E-IAM-37 - Changes made to source code and logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:1
          text: 1. Observe and validate the change management process for code development
            process.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:2
          text: 2. Observe configurations in code source management tools showing
            that only authorized users are able to make changes to source code.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:3
          text: 3. Observe a sample of code change tickets, to show that only authorized
            personnel were able to make the appropriate change necessary.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-27
      name: Service Account Restrictions
      description: Individual user or administrator use of service accounts for O/S,
        applications, and databases is prohibited.
      annotation: 1. Ensure that Individual user or administrator use of service accounts
        for O/S, applications, and databases is prohibited.
      typical_evidence: 'E-IAM-38 - Service accounts listing

        E-IAM-39 - Shared credential management tool screenshots'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:1
          text: 1. Review all interactive service accounts used within the environment
            and confirm that they are disabled or removed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:2
          text: 2. If interactive service accounts are in use these accounts should
            be stored in a shared credential management tool., and access to these
            accounts need to be tied back to an individual user.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-28
      name: PCI Account Restrictions
      description: Organization clients with access to the cardholder data environment
        (CDE), as users or processes, are assigned unique accounts that cannot modify
        shared binaries or access data, server resources, or scripts owned by another
        CDE or Organization; application processes are restricted from operating in
        privileged-mode.
      annotation: '1. Ensure that in cases of multi-tenant environments one organization
        or user cannot effect the security or integrity of another organizations resources.

        2. Ensure that users are restricted from using privileged-mode.'
      typical_evidence: "E-IAM-24 - Access Management Policy\nE-IAM-40 - Network Diagram\
        \ \nE-IAM- 42 - "
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:1
          text: 1. Review the network architecture diagram and confirm that in cases
            of multi-tenant environments that one organization or user cannot effect
            the security or integrity of another organizations resources.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:2
          text: 2. Observe the application processes showing that they are restricted
            from using privileged-mode.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-29
      name: Least Privilege
      description: Role-based access is defined and deployed to restrict privileged
        access to information resources based on the concept of least privilege.
      annotation: '1. Design and document the process for assigning least privilege
        access.

        2. Ensure access is granted as per required approvals.'
      typical_evidence: 'E-IAM-01 - Logical Access Policy

        E-IAM-41 - Access approvals'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:1
          text: 1. Inspect logical access policy and validate that each role is assigned
            the correct level of access.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:2
          text: 2. Inspect the logical access systems and review how the access levels
            are granted for types of roles (Developers, SWE, SRE).
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:3
          text: 3. For a sample of employees, inspect the level of access available
            and correlate to the job role and confirm that they are congruent.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-30
      name: Virtual Private Network
      description: Remote connections to the corporate network are accessed via VPN
        through managed gateways.
      annotation: "1. Design and document process for requirements of remote connection\
        \ to corporate network. \n2. Ensure all remote connections are via VPN."
      typical_evidence: 'E-IAM-19 - Remote Access Standard

        E-IAM-43 - VPN Configuration and process'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:1
          text: 1. Inspect Remote Access Standard to determine whether requirements
            for remotely connecting to the corporate network were defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:2
          text: 2. Inspect a user remotely connect to the Corporate Network via VPN.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-31
      name: 'Virtual Private Network: Restrict Split-Tunneling'
      description: VPN configurations restrict split-tunneling capabilities.
      annotation: 1. Ensure split tunneling is not enabled.
      typical_evidence: E-IAM-43 - VPN Configuration and process
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31:question:1
          text: '1. Inspect the VPN configurations and ensure that split tunneling
            is not enabled. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-32
      name: Ability to Disable Remote Sessions
      description: Organization has a defined process and mechanisms in place to expeditiously
        disable or disconnect remote access to information systems within a defined
        time frame based on business need.
      annotation: '1. Ensure that the server configuration for idle-session timeout
        is set to 15 minutes.

        2. Ensure that access credentials expiry configuration is present.

        3. Ensure remote connection tools such as (VPN or Management consoles) have
        session expirations enabled.'
      typical_evidence: 'E-IAM-44 - Server configuration for idle session timeout

        E-IAM-45 - Credential expiry configuration

        E-IAM-46 - Session expiration enabled configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:1
          text: 1. Inspect the server configuration showing that idle-session timeout
            is set to 15 minutes.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:2
          text: 2. Validate that access credentials expiry configuration is present.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:3
          text: 3. Inspect that remote connection tools such as (VPN or Management
            consoles) have session expirations enabled.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-33
      name: 'Remote Maintenance: Authentication Sessions'
      description: Vendor accounts used for remote access are enabled only during
        the time period needed, disabled when not in use, and monitored while in use.
      annotation: '1. Ensure that vendor accounts that are used for remote access,
        have the following configurations:

        -Enabled only for the time period needed

        -Disabled when not in use

        -Monitored when in use'
      typical_evidence: E-IAM-47 - Remote access configuration
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:1
          text: '1. Validate that vendor accounts that are used for remote access,
            have the following configurations:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:2
          text: -Enabled only for the time period needed
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:3
          text: -Disabled when not in use
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:4
          text: -Monitored when in use
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-34
      name: 'Remote Maintenance: Unique Authentication Credentials for each Customer'
      description: Where applicable, Service providers with remote access to customer
        premises (e.g., for support of POS systems or servers) must use a unique authentication
        credential (such as a password/phrase) for each customer.
      annotation: 1. Ensure that remote access to customer premises are using unique
        individual credentials, and that there is no shared administrative access.
      typical_evidence: E-IAM-48 - Remote Access credentials listing
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34:question:1
          text: 1. Inspect that remote access to customer premises are using unique
            individual credentials, and that there is no shared administrative access.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-35
      name: 'Remote Maintenance: Authentication'
      description: 'Remote maintenance and diagnostic tool utilization are restricted
        to the minimum required level, strong authentication is required, and remote
        sessions are recorded. '
      annotation: '1. Ensure remote maintenance and diagnostic tools have the following
        configurations:

        -Restricted to the minimum required level

        -Strong authentication

        -Remote sessions are recorded'
      typical_evidence: E-IAM-47 - Remote access configuration
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:1
          text: '1. Inspect remote maintenance and diagnostic tools and ensure that
            they have the following configurations:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:2
          text: -Restricted to the minimum required level
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:3
          text: -Strong authentication
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:4
          text: -Remote sessions are recorded
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-36
      name: 'Remote Maintenance: Audit'
      description: Organization documents and maintains records for vendor remote
        maintenance, diagnostic activities, and permissions granted. A listing of
        vendor remote maintenance connections is documented as well.
      annotation: '1.Ensure vendor remote access is documented and that they include:

        -Maintenance activities

        -Diagnostic activities

        -Permissions granted

        2. Ensure that there is no unauthorized access be vendor or third parties.'
      typical_evidence: E-IAM-49 - Remote Vendor access listing and permissions granted
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:1
          text: 1. Inspect documents and records for vendor remote access.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:2
          text: '2. Review the records and ensure that they include:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:3
          text: -Maintenance activities
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:4
          text: -Diagnostic activities
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:5
          text: -Permissions granted
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:6
          text: 3. Review the list of vendor remote connections and ensure that there
            is no unauthorized access.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-37
      name: End-user Environment Segmentation
      description: Where applicable, processes that run as part of an Organization
        shared hosting platform will run under unique credentials that permit access
        to only one customer environment.
      annotation: 1. Where applicable, ensure that the platform will run under unique
        credentials that permit access to only one customer environment.
      typical_evidence: E-IAM-50 - Credential Listing
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37:question:1
          text: 1. Inspect application processes and validate that, where applicable,
            the platform will run under unique credentials that are permitted to access
            only one customer environment.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-38
      name: End-user Access to Applications and Data
      description: "Organization applications secure user data and maintain confidentiality\
        \ by default or according to permissions set by the individual; Organization\
        \ authenticates individuals with unique identifiers and passwords prior to\
        \ enabling access to: \n\u2022 use the application \n\u2022 view or modify\
        \ their own data"
      annotation: "1. Ensure that individuals are given unique identifiers and passwords\
        \ prior to enabling access. \n2. Ensure that passwords used by the consumer\
        \ are protected using proper encryption in transmission and storage."
      typical_evidence: 'E-IAM-51 - Identifiers listing

        E-IAM-52 - password setting mechanism

        E-IAM-53 - password encryption evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:1
          text: '1. Inspect the authentication method for consumers, and confirm that
            individuals are given unique identifiers and passwords prior to enabling
            access. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:2
          text: 2. Ensure that passwords used by the consumer are protected using
            proper encryption in transmission and storage.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106
      ref_id: IAM-39
      name: Hardware Tokens
      description: Where applicable, hardware token-based authentication is facilitated
        only by approved organizations.
      annotation: "1. Design the process for hardware token-based authentication.\
        \ \n2. Ensure that the hardware tokens are assigned to the corresponding users."
      typical_evidence: 'E-IAM-54 - Hardware Token Based Authentication Process document

        E-IAM-55 - Hardware token granting evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:1
          text: 1. Inspect the process by which hardware token-based authentication
            is distributed, used, and collected.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:2
          text: 2. For a sample of users, inspect the inventory of the hardware tokens
            and ensure that they are assigned to the corresponding users.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      assessable: false
      depth: 1
      name: Incident Response
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-01
      name: Incident Response Plan
      description: "Organization defines the types of incidents that need to be managed,\
        \ tracked and reported, including:\n\u2022 procedures for the identification\
        \ and management of incidents \n\u2022 procedures for the resolution of confirmed\
        \ incidents\n\u2022 key incident response systems\n\u2022 incident coordination\
        \ and communication strategy\n\u2022 contact method for internal parties to\
        \ report incidents\n\u2022 support team contact information\n\u2022 notification\
        \ to relevant management in the event of a security breach\n\u2022 provisions\
        \ for updating and communicating the plan\n\u2022 provisions for training\
        \ of support team\n\u2022 preservation of incident information\n\u2022 management\
        \ review and approval, annually, or when major changes to the organization\
        \ occur"
      annotation: '1. Prepare, document, and communicate the Incident Response Plan
        and Incident Management Policy and ensure that the following are documented:

        a. Procedures for the assignment of Roles and Responsibilities for the design
        implementation, maintenance and execution of the incident response plan

        b. Procedures for the identification and management of incidents

        c. Procedures for the resolution of confirmed incidents

        d. Procedures for the restoration of data and business operation

        e. Incident coordination and communication strategy

        f. Notification to relevant management in the event of a security breach

        g. Provisions for updating and communicating the plan

        h. Provisions for evaluating the effectiveness of incident response

        i. Post incident resolution including post mortem analysis and lessons learned

        2. Ensure that a process exists to periodically review the changes which displays
        revision history of the Incident Response Plan.'
      typical_evidence: 'E-IR-01 - Incident Response Plan

        E-IR-02 - Incident Management Policy

        E-IR-03 - Review history'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:1
          text: '1. Inspect the Incident Response Plan and Incident Management Policy
            to determine whether the following are documented:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:2
          text: a. Procedures for the assignment of Roles and Responsibilities for
            the design implementation, maintenance and execution of the incident response
            plan
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:3
          text: b. Procedures for the identification and management of incidents
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:4
          text: c. Procedures for the resolution of confirmed incidents
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:5
          text: d. Procedures for the restoration of data and business operation
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:6
          text: e. Incident coordination and communication strategy
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:7
          text: f. Notification to relevant management in the event of a security
            breach
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:8
          text: g. Provisions for updating and communicating the plan
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:9
          text: h. Provisions for evaluating the effectiveness of incident response
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:10
          text: i. Post incident resolution including post mortem analysis and lessons
            learned
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:11
          text: 2. Review the changes which displays revision history of the Incident
            Response Plan.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-02
      name: Incident Response Testing
      description: Organization tests incident response processes on an annual basis.
        Results from the tests are documented.
      annotation: '1. Ensure that a process exists to test the incident response process
        on an annual basis.

        2. Ensure that Incident Response Standard is updated at least annually.

        3. Establish a process for conducting the trainings such as table top exercise
        and ensure that all necessary personnel attended the training.'
      typical_evidence: 'E-IR-01 - Incident Response Plan

        E-IR-04 - Incident Training Records

        E-IR-05 - Incident Training Material '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:1
          text: 1. Validate with the Incident response team of the completion of the
            training and its documentation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:2
          text: 2. Validate that Incident Response Standard is updated at least annually.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:3
          text: 3. Review elements of the training such as table top exercise and
            confirm that all necessary personnel attended the training.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-03
      name: Incident Response
      description: Confirmed incidents are assigned a priority level and managed to
        resolution. If applicable, Organization coordinates the incident response
        with business contingency activities.
      annotation: '1. Prepare, document, and communicate the Security Incident Management
        Policy within the organization.

        2. Ensure that priority level are assigned to a sample of incidents and that
        they are tracked to resolution.

        3. For any crisis declared incidents, validate that business contingency activities
        are performed.'
      typical_evidence: 'E-IR-02 - Incident Management Policy

        E-IR-06 - Sample of incidents'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:1
          text: 1. Inspect the Organization Security Incident Management Policy.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:2
          text: 2. Validate that priority level are assigned to a sample of incidents
            and ensure that they are tracked to resolution.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:3
          text: 3. Validate that for any crisis declared incidents, that business
            contingency activities were performed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-04
      name: External Communication of Incidents
      description: "Organization defines external communication requirements for incidents,\
        \ including:\n\u2022 information about external party dependencies\n\u2022\
        \ criteria for notification to external parties as required by Organization\
        \ policy in the event of a security breach\n\u2022 contact information for\
        \ authorities (e.g., law enforcement, regulatory bodies, etc.)\n\u2022 provisions\
        \ for updating and communicating external communication requirement changes"
      annotation: "1. Ensure that following details are documented in Incident Response\
        \ Plan and Standard:\n \u2022 information about external party dependencies\n\
        \ \u2022 criteria for notification to external parties as required by policy\
        \ in the event of a security breach\n \u2022 contact information for authorities\
        \ (e.g., law enforcement, regulatory bodies, etc.)\n \u2022 provisions for\
        \ updating and communicating external communication requirement changes\n\
        2. Establish a process that flags the alerts as the defined escalation metrics."
      typical_evidence: 'E-IR-01 - Incident Response Plan

        E-IR-02 - Incident Management Policy'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:1
          text: '1. Inspect the Incident Response Plan and Standard to determine whether
            the following are documented:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:2
          text: " \u2022 information about external party dependencies"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:3
          text: " \u2022 criteria for notification to external parties as required\
            \ by policy in the event of a security breach"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:4
          text: " \u2022 contact information for authorities (e.g., law enforcement,\
            \ regulatory bodies, etc.)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:5
          text: " \u2022 provisions for updating and communicating external communication\
            \ requirement changes"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:6
          text: 2. Review the procedure for alert escalation
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-05
      name: Incident Reporting Contact Information
      description: "Organization provides a contact method to:\n\u2022 submit complaints\
        \ and inquiries\n\u2022 report incidents"
      annotation: 1. Define a communication channel on the company public website
        which shall include a contact method for external parties to submit complaints,
        inquiries, and report incidents.
      typical_evidence: E-IR-08 - Link to public website
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05:question:1
          text: 1. Review public website to determine whether the company provides
            a contact method for external parties to submit complaints, inquiries,
            and report incidents.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-06
      name: Incident External Communication
      description: Organization communicates a response to external stakeholders as
        required by the Incident Response Plan.
      annotation: '1. Ensure that the Incident Response Plan and the Incident Legal
        Communications Requirements Standard include a process for communicating a
        response to external stakeholders is required.

        2. Design a process to maintain the list of confirmed incidents which involved
        external stakeholders.

        3. Establish a process which sends out communications to external stakeholders
        per the Incident Response Plan.'
      typical_evidence: 'E-IR-01 - Incident Response Plan

        E-IR-09 - Incident Legal Communications Requirements Standard

        E-IR-06 - Sample of incidents'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:1
          text: 1. Inspect the Incident Response Plan and the Incident Legal Communications
            Requirements Standard to determine whether communicating a response to
            external stakeholders is required.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:2
          text: 2. Obtain a list of confirmed incidents which involved external stakeholders.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:3
          text: 3. Inspect a sample of confirmed incidents tickets to determine whether
            communications required a response to external stakeholders per the Incident
            Response Plan.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-07
      name: 'External Communication of Incidents: Protected Health Information'
      description: "Organization communicates the discovery and status of the breach\
        \ of Protected Health Information (PHI) to the covered entity within 60 days\
        \ or as required by the Business Associates Agreement (BAA) and provides the\
        \ following information if available:\n\u2022 description of the Event\n\u2022\
        \ description of the Information that was compromised\n\u2022 identification\
        \ of the Individuals whose PHI were compromised\n\u2022 steps Required to\
        \ Protect Individuals\n\u2022 investigation Plan\n\u2022 contact Information"
      annotation: "1. Design the process to validate whether an incident includes\
        \ Personal Health information.\n2. Ensure that all incidents where there has\
        \ been a breach have been communicated to the covered entity within 60 days,\
        \ or following the covered entity's Business Associates Agreement.\n3. Ensure\
        \ that within the communication all the listed information was provided to\
        \ the covered entity:\n\u2022 description of the Event\n\u2022 description\
        \ of the Information that was Compromised\n\u2022 identification of the Individuals\
        \ whose PHI were Compromised\n\u2022 steps Required to Protect Individuals\n\
        \u2022 investigation Plan\n\u2022 contact Information"
      typical_evidence: 'E-IR-10 - Business Associates Agreement

        E-IR-11 - Sample external communication of the incident'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:1
          text: 1. Validate all incidents have included Personal Health information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:2
          text: 2. Inspect whether all the incidents where there has been a breach
            have been communicated to the covered entity within 60 days, or following
            the covered entity's Business Associates Agreement.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:3
          text: '3. Validate whether the communication was sent to the covered entity
            and included all the listed information:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:4
          text: "\u2022 description of the Event"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:5
          text: "\u2022 description of the Information that was Compromised"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:6
          text: "\u2022 identification of the Individuals whose PHI were Compromised"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:7
          text: "\u2022 steps Required to Protect Individuals"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:8
          text: "\u2022 investigation Plan"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:9
          text: "\u2022 contact Information"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146
      ref_id: IR-08
      name: Problem Management
      description: Organization resolves customer support inquiries.
      annotation: 1. Establish a process to support customer inquires and ensure that
        they have been resolved and documented.
      typical_evidence: E-IR-12 - Sample of customer support inquiry
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08:question:1
          text: 1. Review a sample of customer support inquires and ensure that they
            have been resolved.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155
      assessable: false
      depth: 1
      name: Mobile Device Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155
      ref_id: MDM-01
      name: Mobile Device Enrollment
      description: Mobile devices (i.e., laptops, smartphones, tablets) must be configured
        with the appropriate Mobile Device Management (MDM) profile when used as a
        medium to access Organization internal resources.
      annotation: '1. Ensure that a Mobile device management process is defined and
        documented.

        2. Ensure that all mobile devices are registered and configured within the
        appropriate Mobile Device Management (MDM) to access the internal resources.'
      typical_evidence: 'E-MDM-01 - Mobile device management policy

        E-MDM-02 - List of all mobile devices registered with MDM tool

        E-MDM-03. - '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:1
          text: 1. Inspect the Mobile device Policy to ensure that a Mobile Device
            management process is defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:2
          text: 2. Inspect the list of mobile devices to verify that the devices are
            registered within the Mobile Device Management (MDM) tool.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:3
          text: 3. For a sample of devices, validate that the devices are configured
            with the MDM tool and that it cannot be disabled from the end user device.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155
      ref_id: MDM-02
      name: Mobile Device Encryption
      description: Mobile devices (i.e., laptops, smartphones, tablets) that are used
        to access data from Organization internal resources are encrypted.
      annotation: 1. Ensure that mobile devices are encrypted and is configured with
        the Mobile Device Management (MDM) tool.
      typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM
        tool

        E-MDM-04 - Sample mobile device screenshots showcasing the devices are encrypted
        in the MDM tool'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:1
          text: 1. Review the Mobile Device Management (MDM) tool and ensure that
            a device encryption tool is enabled for all registered devices.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:2
          text: 2. Review a sample of mobile devices and verify that device encryption
            tools are enabled on devices and cannot be disabled by the end user.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155
      ref_id: MDM-03
      name: 'Configuration Management: Mobile Devices'
      description: Organization Mobile devices (i.e., laptops, smartphones, tablets)
        are configured to ensure unnecessary hardware capabilities and functionalities
        are disabled, and management defined security features are enabled.
      annotation: '1. Ensure that mobile devices are configured to ensure unnecessary
        hardware capabilities and functionalities are disabled.

        2. Ensure security features defined by the management shall be enabled within
        the MDM tool.'
      typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM
        tool

        E-MDM-05 - Sample mobile device configuration screenshots showcasing the security
        features are enabled'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:1
          text: 1. Review the Mobile Device Management (MDM) tool and confirm that
            there is a policy implemented that restricts the use of unnecessary hardware
            capabilities and functionalities are disabled.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:2
          text: 2. For a sample of mobile devices, verify security features are enabled
            in the MDM tool.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:3
          text: 3 Review a sample of user devices and verify that the end user cannot
            use hardware capabilities and functionalities that have been disabled
            by the MDM tool per its policy and that these functionalities are not
            able to be re-activated by the end user.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155
      ref_id: MDM-04
      name: 'Configuration Management: High Risk Travel Locations'
      description: Organization has a documented list of travel locations considered
        high risk for the use of mobile devices (i.e., laptops, smartphones, tablets).
        Employees procure alternate equipment before traveling to these locations.
      annotation: "1. Ensure that a process is defined and documented for handling\
        \ travel to high-risk locations.\n2. Ensure that a documented list of travel\
        \ locations considered to be high risk for the use of mobile devices is maintained.\
        \ \n3. Ensure alternate equipment is provided to employees before traveling\
        \ to these locations."
      typical_evidence: 'E-MDM-06 - List of high risk travel locations

        E-MDM-03 - Sample mobile device configuration screenshots from the MDM tool'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            handling travel to high-risk locations.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:2
          text: '2. Validate the list of travel locations considered to be high risk
            for the use of mobile devices '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:3
          text: 3. Validate the process for providing alternate equipment to employees
            before traveling to these locations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      assessable: false
      depth: 1
      name: Network Operations
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-01
      name: Network Policy Enforcement Points
      description: Network traffic to and from untrusted networks passes through a
        policy enforcement point; firewall rules are established in accordance with
        identified security requirements and business justifications.
      annotation: '1. Ensure that necessary process and documentation are established
        for network traffic management.

        2. Ensure necessary requirements are defined for managing network traffic
        to and from untrusted networks in the policy.

        3. Ensure firewall rules are established to determine specific configuration
        requirements have been documented for network devices within the policy.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-02 - Firewall Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:1
          text: 1. Inspect Network Security Policy and/or Standard to determine whether
            requirements have been defined for managing network traffic to and from
            untrusted networks.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:2
          text: 2. Review firewall rules to ensure they are defined according to the
            requirements of the organization.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-02
      name: 'Inbound and Outbound Network Traffic: DMZ Requirements'
      description: Network traffic to and from untrusted networks passes through a
        Demilitarized Zone (DMZ).
      annotation: '1. Ensure necessary requirements are defined which outlines the
        use of a DMZ and firewalls must be used wherever necessary to enforce perimeter
        security between separate networks in the policy.

        2. Ensure DMZ is enabled and configured within the network traffic.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-03 - DMZ Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:1
          text: 1. Inspect Network Security Policy and/or Standard documents to determine
            whether requirements have been defined that outlines the use of a DMZ
            and firewalls must be used wherever necessary to enforce perimeter security
            between separate networks.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:2
          text: 2. Observe a sample of network security rules or firewall rulesets
            and confirm that the DMZ or DMZ equivalents are operating in the rulesets.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-03
      name: Ingress and Egress Points
      description: "Organization maintains an inventory of ingress and egress points\
        \ on the production network and performs the following for each: \n\u2022\
        \ inventory is reduced to the minimum possible level\n\u2022 permitted ports,\
        \ protocols and services are inventoried and validated\n\u2022 documents security\
        \ features that are implemented for insecure protocols"
      annotation: "1. Ensure a process is maintained for inventory of ingress and\
        \ egress points on the production network\n2. Ensure network security rules\
        \ are defined and established with the following: \n\u2022 permitted ports,\
        \ protocols and services are inventoried and validated\n\u2022 documented\
        \ security features that are implemented for insecure protocols"
      typical_evidence: 'E-NO-04 - Network security rules inventory

        E-NO-05 - Security Rules Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:1
          text: 1. Observe the inventory of ingress and egress points on the production
            network.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:2
          text: 2. Observe network security rules and validate to ensure no insecure
            ports, protocols, and services are present.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:3
          text: 3. If applicable, for any insecure ports, protocols, and services,
            ensure that additional security features are in place.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-04
      name: Non-disclosure of Routing Information
      description: Organization does not disclose private IP addresses and routing
        information to unauthorized parties.
      annotation: 1. Ensure necessary requirements are defined that prohibits the
        disclosure of private IP addresses and routing information to unauthorized
        parties in the policy.
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-07 - NAT Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:1
          text: 1. Inspect Network Security Policy and/or Standard documents to determine
            whether requirements have been defined that prohibits the disclosure of
            private IP addresses and routing information to unauthorized parties.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:2
          text: 2. Review the configuration to determine the non-disclosure of private
            IP Addresses and Network Address Translation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-05
      name: Dynamic Packet Filtering
      description: Where applicable, Organization enables dynamic packet filtering
        on the network.
      annotation: '1. Ensure that Network Security Policy/Standard specifies when
        to use dynamic packet filtering on the network.

        2.Ensure dynamic packet filtering is turned on applicable systems.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-06 - Dynamic packet filtering configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:1
          text: 1. Inspect Network Security Policy and/or Standard documents to determine
            whether requirements have been defined that outlines that dynamic packet
            filtering on the network should be enabled when applicable.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:2
          text: 2. For a sample of applicable systems review the configurations for
            the devices and ensure that dynamic packet filtering has been enabled.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-06
      name: Firewall Rule Set Review
      description: Network infrastructure rule sets are reviewed every 6 months.
      annotation: "1. Ensure that a process is defined and documented for performing\
        \ Network Infrastructure rules every six months. \n2. Ensure network infrastructure\
        \ rules are reviewed and appropriate documentation is maintained for this\
        \ review."
      typical_evidence: E-NO-08 - Network Infrastructure Rules Review Records
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06:question:1
          text: 1 Observe the Network infrastructure rules review documentation and
            verify that it was last reviewed within the last 6 months.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-07
      name: 'Ingress and Egress Points: Fail Secure'
      description: 'The information system fails securely in the event of an operational
        failure of a boundary protection device.

        '
      annotation: '1. Ensure that appropriate fail safe procedures are defined for
        network boundary protection devices.

        2. Ensure all network systems are configured to fail securely in the event
        of an operational failure.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-09 - Sample of network configuration settings for applicable systems'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:1
          text: 1. Inspect Network Security Policy/Standard to determine whether requirements
            have been defined that outlines that in the event of an operation failure
            that information systems fail securely.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:2
          text: 2. For a sample of applicable systems review the configurations for
            the devices and confirm that in the event of failure that the systems
            will fail securely.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-08
      name: 'Traffic Flow: Managed Proxy'
      description: Organization requires egress traffic initiated from within the
        Organization network to pass through a managed proxy.
      annotation: '1. Ensure that a process is defined and documented so that all
        egress traffic from within the organization passes through a proxy.

        2.Ensure that proxy servers have been deployed on application systems for
        the filtering of traffic.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-10 - Sample of network architecture for applicable systems'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:1
          text: 1. Inspect documentation to determine whether requirements have been
            defined that outlines that all egress traffic initiated from within the
            Organization's network passes through a managed proxy.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:2
          text: 2. For a sample of applicable systems review the architecture and
            ensure that all egress traffic from within the network is passed through
            the managed proxy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-09
      name: Domain Name Services Security Extensions (DNSSec)
      description: Organization establishes a DNSSec implementation standard and uses
        mechanisms to verify the DNS infrastructure for compliance.
      annotation: '1. Ensure that a process is defined and documented for a DNSSec
        implementation.

        2. Ensure appropriate mechanism are in place to validate DNS infrastructure
        for compliance.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-11 - Configuration of DNS Servers'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:1
          text: 1. Inspect documentation to determine whether requirements have been
            defined that outlines a DNSSec implementation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:2
          text: 2. Review a sample of DNS infrastructure used and ensure that they
            are following the DNSSec implementation requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-10
      name: Email Spam Protection
      description: 'Organization has documented procedures and protection mechanisms
        in place to protect its information and information systems from spam and
        ensures that signature definitions are updated whenever new releases are available.

        '
      annotation: "1. Ensure that a process is defined and documented to ensure spam\
        \ protection on emails. \n2. Ensure that appropriate controls are deployed\
        \ to prevent spam from emails.\n3. Ensure that spam signature definitions\
        \ are updated when new releases are available."
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-12 - Email Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:1
          text: 1. Inspect the documentation to ensure a process is defined for spam
            protection.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:2
          text: 2. For a sample of applicable systems such as mail servers ensure
            that anti-spam filters are enabled and are updated to the most recent
            version possible.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-11
      name: Denial of Service (DOS)
      description: Organization implements a Denial of Service (DOS) protection plan,
        identifies threatening DOS attacks, and configures boundary protection devices
        according to the DOS plan.
      annotation: '1. Ensure a process is defined and documented to prevent from Denial
        of Service (DoS) attacks.

        2. Ensure that boundary protection devices are configured as per the process
        to enable Denial of Service Attack Protection.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-23 - Denial of Service Protection Plan Configuration on network devices'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:1
          text: 1. Inspect documentation to determine whether requirements have been
            defined that outlines that a Denial of Service (DoS) protection plan.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:2
          text: 2. For a sample of applicable system ensure that configuration aligns
            with the Denial of Service Protection Plan.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-12
      name: Trusted Connections
      description: "All trusted connections are documented and approved by authorized\
        \ personnel; management ensures the following documentation is in place prior\
        \ to approval: \n\u2022 agreement with vendor\n\u2022 security requirements\n\
        \u2022 nature of transmitted information"
      annotation: '1. Ensure that a process is defined and documented for managing
        trusted connections.

        2. Ensure that all trusted connections are documented and approved by authorized
        personnel.

        3. Ensure that appropriate agreements with vendors exist before establishing
        trusted connection.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-13 - Vendor Agreement'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:1
          text: 1. Inspect and validate whether a process is defined and documented
            for managing trusted connections.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:2
          text: 2. Validate for a sample trusted connections that it was documented
            and approved by authorized personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:3
          text: 3. Validate whether appropriate agreement with vendors existed before
            establishing trusted connection.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-13
      name: Network Segmentation
      description: Production environments are logically segregated from non-production
        environments.
      annotation: '1. Ensure that a process is defined and documented to ensure that
        production and non-production environments are logically segregated.

        2. Ensure that for all systems production and non-production environments
        are logically segregated and this is reflected via appropriate architecture
        diagrams.'
      typical_evidence: 'E-NO-14 - Network Architecture Diagram

        E-NO-16 - Configuration of Logical Segregation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:1
          text: 1. Inspect and validate whether a process is defined and documented
            to ensure that production and non-production environments are logically
            segregated.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:2
          text: 2. Validate for a sample system whether production and non-production
            environments are logically segregated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-14
      name: Card Processing Environment Segmentation
      description: Where applicable, Organization segregates the Primary Account Number
        (PAN) infrastructure including payment card collection devices; Organization
        limits access to the segregated environment to authorized personnel.
      annotation: '1. Ensure that a process is defined and documented for segregating
        PCI Environment from non-PCI environment.

        2. Ensure that network segmentation testing is performed on a semi-annual
        basis.

        3. Ensure that the Data flow and architecture diagram is updated periodically
        and reviewed by required officials.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-15 - Network Segmentation Testing Records

        E-NO-17 - Data Flow Diagrams

        E-NO-14 - Network Architecture Diagram'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:1
          text: 1. Inspect and validate whether a process is defined and documented
            for segregating PCI Environment from non-PCI environment.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:2
          text: 2. Validate whether network segmentation testing was performed on
            a semi annual basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:3
          text: 3. Validate whether the Data flow and architecture diagram were updated
            periodically and were approved.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-15
      name: Traffic Flow
      description: Organization documents the approved traffic flow at each managed
        interface and configures the managed interface accordingly. Exceptions to
        traffic flow are documented, reviewed periodically, and removed when there
        is no longer a business requirement.
      annotation: '1. Ensure a process is defined and documented for managing traffic
        flow at each interface.

        2. Ensure all managed interfaces are configured as per the approved traffic
        flow.

        3. Ensure all exceptions are documented, reviewed periodically, and removed
        when there is no longer a business requirement. '
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-18 - Approved Traffic Flow and configuration

        E-SG-04 - Sample Policy Exceptions'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:1
          text: 1. Inspect and validate whether a process is defined and documented
            for managing traffic flow at each interface.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:2
          text: 2. Validate for a sample of managed interface that it is configured
            as per the approved traffic flow.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:3
          text: '3. Validate for a sample of exceptions whether they were documented,
            reviewed periodically, and removed when there was no longer a business
            requirement. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-16
      name: Disable Rogue Wireless Access Points
      description: Organization employs mechanisms to detect and disable the use of
        unauthorized wireless access points.
      annotation: '1. Ensure a process is defined and documented to detect unauthorized
        wireless access points.

        2. Ensure network monitoring software is in place to identify unauthorized
        wireless access points send alerts to the appropriate personnel.

        3. Ensure that alerts are regularly reviewed, and if necessary, actions are
        taken to fix any issues.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-19 - Network Monitoring Software Configuration

        E-NO-20 - Sample alerts sent showcasing unauthorized wireless access points'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:1
          text: 1. Inspect and validate that a process is defined and documented to
            detect unauthorized wireless access points.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:2
          text: 2. Validate the configuration of network monitoring software to check
            if it detects unauthorized wireless access points send alerts to the appropriate
            personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:3
          text: 3. Validate sample alerts and inspect whether they were reviewed,
            and if necessary, actions were taken to fix any issues.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-17
      name: Wireless Access Points
      description: Organization maintains an inventory of authorized wireless access
        points including a documented business justification.
      annotation: 1. Ensure that a formal inventory of authorized wireless access
        points is documented which includes information of the function of the wireless
        point and its business justification.
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-21 - Wireless Access Point Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:1
          text: 1. Inspect and validate that an inventory of authorized wireless points
            is maintained.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:2
          text: 2. Validate that the inventory contains the business need and the
            function of each wireless access point
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160
      ref_id: NO-18
      name: 'Authentication: Wireless Access Points'
      description: Organization restricts access to network services via wireless
        access points to authenticated users and services; approved wireless encryption
        protocols are required for wireless connections.
      annotation: '1. Ensure that a process is defined and documented to restrict
        access to network services via wireless access points to authenticated users
        and services

        2. Ensure Approved wireless encryption protocols are required for wireless
        connections.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-NO-22 - Wireless Connections Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:1
          text: 1. Inspect and validate that a process is defined and documented to
            restrict access to network services via wireless access points to authenticated
            users and services
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:2
          text: 2. Validate whether approved wireless encryption protocols are required
            for wireless connections.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      assessable: false
      depth: 1
      name: People Resources
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-01
      name: Background Checks
      description: New hires are required to pass a background check as a condition
        of their employment.
      annotation: '1. Ensure that a process is defined and documented to conduct background
        checks for new hires.

        2. Ensure that a background check is completed prior to the hire date for
        all new hires.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-02 - Background Check Evidence for sample new hire employees'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:1
          text: '1. Inspect documentation to validate whether requirements for background
            checks have been defined. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:2
          text: 2 For a sample of new hires, validate that background checks defined
            in the policy were performed prior to their hire date.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-02
      name: Performance Management
      description: Organization has established a check-in performance management
        process for on-going dialogue between managers and employees. Quarterly reminders
        are sent to managers to perform their regular check-in conversation.
      annotation: '1. Document and maintain a check-in performance management process
        for on-going dialogue between managers and employees.

        2. Ensure reminders are sent to managers on a quarterly basis for performing
        regular check-in.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-03 - Sample Quarterly Check In Reminders'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:1
          text: 1. Inspect relevant documentation to validate whether a process regarding
            check-in performance management has been defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:2
          text: 2. For a sample of quarters, inspect the mail communication to determine
            whether quarterly reminders are sent to managers to perform their regular
            check-in conversation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-03
      name: Hiring Process
      description: Job candidates apply for roles that are listed on the Organization
        career portal; candidates are interviewed to determine their knowledge and
        competence for their prospective roles and compatibility with Organization
        values.
      annotation: '1. Ensure that a process is defined and documented that outlines
        the requirements for hiring of employees.

        2. Ensure all job roles are posted on career portal for application.

        3. Ensure appropriate hiring process is followed to determine competence before
        hiring.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-04 - Career Portal Snapshot

        E-PR-05 - Hiring Process for a sample employee'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:1
          text: 1. Inspect and validate that a process is defined and documented that
            outlines the requirements for hiring of employees.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:2
          text: 2. Validate sample job roles and check if they are posted on career
            portal for application.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:3
          text: 3. For sample employees validate the hiring process followed and evaluate
            whether it was according to the policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-04
      name: Organization Property Collection
      description: 'Upon employee termination, management is notified to collect Organization
        property from the terminated employee.

        '
      annotation: '1. Ensure a process is defined and documented to notify the management
        in case of employee termination and collect organization property.

        2. Ensure termination procedures are followed to collect organization property
        from the employee.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-06 - Termination Process Evidence for sample employees'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:1
          text: 1. Inspect the relevant documentation to determine whether a process
            is defined and documented to notify the management in case of employee
            termination and collect organization property.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:2
          text: 2. For a sample of terminated employees, validate that termination
            procedures were followed to collect organization property.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-05
      name: Exit Interviews
      description: Upon employee termination, management conducts exit interviews
        for the terminated employee.
      annotation: '1. Ensure a process is defined and documented to notify the management
        in case of employee termination and conduct exit interviews

        2. Ensure exit interviews are conducted once a user is terminated in HR Management
        System and relevant stakeholders are involved.

        3. Ensure that a record of the interview is retained.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-07 - For sample employees, evidence of an exit interview'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:1
          text: 1. Inspect the relevant documentation to determine whether a process
            is defined and documented to notify the management in case of employee
            termination and conduct exit interviews
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:2
          text: 2. Inspect records of the exit interview for terminated employees.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:3
          text: '3. For a sample of terminated employees, validate that termination
            procedures were followed including the performance of an exit interview. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-06
      name: Disciplinary Process
      description: Employees that fail to comply with Organization policies are subject
        to a disciplinary process.
      annotation: '1. Ensure that a disciplinary process is defined and documented
        and is appropriately communicated.

        2. Ensure that the disciplinary process is followed for all employees violating
        organizational policies. '
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-08 - Evidence of action taken for employees violating policies, if any'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:1
          text: 1. Inspect relevant documentation to validate that a disciplinary
            process is defined and appropriately communicated.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:2
          text: '2. Validate that disciplinary process was followed for all employees
            violating organizational policies. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-07
      name: Code of Ethics
      description: Organization has a Code of Ethics for Senior Officers. The Senior
        Officers and CEO certify that they understand the Code on an annual basis.
      annotation: '1. Ensure that a Code of Ethics has been established for senior
        officers and the CEO.

        2. Ensure all senior officers and CEO have documented certification of Code
        of Ethics on an annual basis.'
      typical_evidence: 'E-PR-09 - Code of Ethics

        E-PR-10 - Evidence of annual certification'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:1
          text: 1. Inspect and validate that a Code of ethics is defined and documented
            for senior officers and CEO.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:2
          text: 2. Validate that all senior officers and CEO have documented certification
            of code of ethics at least annually.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-08
      name: Business Ethics Hotline
      description: Organization has a business ethics hotline for employees and external
        parties to report ethical misconduct. Allegations are investigated and Organization
        will take appropriate action for confirmed violations. Hotline reports are
        reported to the Audit Committee on a quarterly basis.
      annotation: '1. Ensure that a process has been defined and documented for reporting
        ethical misconduct.

        2. Ensure that allegations made through the hotline are investigated and appropriate
        action is taken.

        3. Ensure Hotline reports are reported to the Audit Committee on a quarterly
        basis.'
      typical_evidence: 'E-PR-01 - Human Resource Policy

        E-PR-11 - Hotline Case Tracking Evidence

        E-PR-12 - Audit Committee Communication Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:1
          text: 1. Inspect the relevant documentation to validate that a process has
            been defined and documented for reporting ethical misconduct.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:2
          text: 2. Validate that the allegations made through the hotline are investigated
            and appropriate action is taken for a sample of reports.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:3
          text: 3. Validate whether the hotline reports are reported to the Audit
            Committee on a quarterly basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-09
      name: National Security Clearance
      description: Organization conducts screening and rescreening of authorized personnel
        for roles that require national security clearances. For national security
        clearances; a reinvestigation is required during the 5th year for top secret
        security clearance, the 10th year for secret security clearance, and 15th
        year for confidential security clearance. In addition, for law enforcement
        and high impact public trust level, a reinvestigation is required during the
        5th year.
      annotation: "1. Document and maintain a process on screening/rescreening or\
        \ vetting of employees that need national security clearances.\n2. Ensure\
        \ list of roles requiring national security clearances is reviewed and kept\
        \ up-to-date.\n3. Ensure that screening and rescreening of authorized personnel\
        \ are conducted for roles that require national security clearances.\n4. For\
        \ national security clearances, ensure that rescreening is conducted for the\
        \ following:\n\u2022 5th year for top secret security clearance\n\u2022 10th\
        \ year for secret security clearance\n\u2022 15th year for confidential security\
        \ clearance\n5. For law enforcement an high impact public trust level, ensure\
        \ that an reinvestigation is conducted during the 5th year"
      typical_evidence: 'E-PR-13 - List of roles that requires national security clearances

        E-PR-14 - List of personnel with national security clearances

        E-PR-15 - Screening and Rescreening Evidences

        E-PR-16 - Reinvestigation Evidences'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:1
          text: 1. Inspect relevant documentation and validate that a process on screening/rescreening
            or vetting of employees that need national security clearances is established.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:2
          text: 2. Validate whether a list of roles requiring national security clearances
            is reviewed and kept up-to-date.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:3
          text: 3. Validate for a sample employee requiring National Security Clearance
            that screening and rescreening was conducted.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:4
          text: '4. For sample national security clearances, validate that rescreening
            was conducted for the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:5
          text: "\u2022 5th year for top secret security clearance"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:6
          text: "\u2022 10th year for secret security clearance"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:7
          text: "\u2022 15th year for confidential security clearance"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:8
          text: 5. For sample law enforcement and high impact public trust level security
            clearance, validate that a reinvestigation was conducted during the 5th
            year.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179
      ref_id: PR-10
      name: Code of Business Conduct
      description: Organization has documented the Code of Business Conduct and Business
        Partner Code of Conduct, which are reviewed, updated if applicable, and approved
        by senior management annually.
      annotation: '1. Ensure that a Code of Business Conduct and Business Partner
        Code of Conduct is defined, documented, and approved by senior management.

        2. Ensure that these documents are reviewed, updated, and approved at least
        on an annual basis.'
      typical_evidence: 'E-PR-17 - Code of Business Conduct

        E-PR-18 - Business Partner Code of Conduct'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:1
          text: 1. Inspect and validate that a Code of Business Conduct and Business
            Partner Code of Conduct is defined, documented, and approved by senior
            management.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:2
          text: 2. Validate that these documents are reviewed, updated, and approved
            at least on an annual basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      assessable: false
      depth: 1
      name: Privacy
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-01
      name: Privacy Program
      description: Organization privacy policies for individuals, including relevant
        updates, are communicated on the public company website or on the internal
        corporate network.
      annotation: '1. Ensure the organization has created a privacy policy.

        2. Ensure the policy is updated and approved on regular intervals.

        3. Ensure the policy is communicated and is available for employees and relevant
        stakeholders.'
      typical_evidence: E-PRIV-01 - Privacy Policy
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:1
          text: 1. Inspect privacy policies and confirm that the policy is updated.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:2
          text: '2. Confirm that anytime the privacy policy is updated, these updates
            are present on the intranet or public website. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-02
      name: Privacy Program Review
      description: "On an annual basis, Organization performs a review of privacy\
        \ practices to ensure the following:\n\u2022 consent is obtained for users\
        \ whose personal information (PI) is managed by Organization\n\u2022 PI inventory\
        \ integrity and accuracy\n\u2022 data access request response template is\
        \ understandable\n\u2022 standard agreement templates are up-to-date\n\u2022\
        \ requests to delete, access or update PI are processed accurately and within\
        \ a timeframe consistent with Organization policy\n\u2022 compliance with\
        \ Organization's privacy commitments\n\u2022 known privacy issues are remediated\n\
        \u2022 opt-in and opt-out compliance with applicable law\n\u2022 Organization\
        \ privacy documentation and practices are relevant to applicable law\n\u2022\
        \ compliance with relevant industry Codes of Conduct (e.g., EDAA)\n\u2022\
        \ if applicable, joint controller responsibilities are clearly defined and\
        \ communicated to both data controllers and the data subject"
      annotation: '1. Ensure that the organization has established a privacy program.

        2. Ensure that the program is reviewed on at least an annual basis.

        3. Ensure that the privacy program contains controls regarding consent, data
        access requests, modification requests, SLAs, privacy issues, roles and responsibilities.

        4. Ensure that agreement templates are reviewed and updated.'
      typical_evidence: E-PRIV-02 - Privacy Review Evidence
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:1
          text: '1. Collect and inspect the organization''s annual privacy review. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:2
          text: 2. Validated that the annual privacy review covers all components.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-03
      name: Privacy Readiness Review
      description: Organization performs privacy readiness reviews to identify high-risk
        processing activities that impact personal data; identified non-compliance
        with Organization privacy practices is tracked through remediation.
      annotation: '1. Ensure that a process has been established for privacy readiness
        reviews.

        2. Ensure privacy readiness reviews are conducted for high-risk processing
        activities.

        3. Ensure necessary actions are taken for the remediation of findings from
        privacy readiness reviews.'
      typical_evidence: E-PRIV-03 - Privacy Readiness Review Evidence
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:1
          text: '1. Inspect privacy readiness reviews and ensure that remediation
            activities were launched for any non-compliant actions. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:2
          text: 2. Validate that remediation activates were resolved and remediated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-04
      name: Privacy Notice
      description: Individuals are given appropriate notice and an opportunity to
        consent or decline to Organization privacy practices such as accessing, collecting,
        processing, transferring, or storing personal information.
      annotation: '1. Ensure that a consent notice is established for users regarding
        privacy guidelines.

        2. Ensure that the users have an option to accept or decline the consent.'
      typical_evidence: E-PRIV-04 - Consent Notice Snapshot
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04:question:1
          text: 1. Inspect Data Protection Policy and procedure documents to ensure
            individuals are given appropriate notice and an opportunity to consent
            or decline to organization privacy practices such as accessing, collecting,
            processing, transferring, or storing personal information.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-05
      name: 'Personal Information Notice and Consent: Additional Processing Activities'
      description: Where appropriate, Organization obtains individual consent for
        processing activities for which consent has not been previously obtained.
      annotation: '1. Ensure that consent is obtained for processing user data.

        2. Ensure that any change in processing activities is followed by an update
        of consent.'
      typical_evidence: E-PRIV-04 - Consent Notice Snapshot
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05:question:1
          text: 1. Inspect Data Protection Policy and procedure documents to determine
            whether organization obtains individual consent for processing activities
            for which consent has not been previously obtained.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-06
      name: Notice of Personal Information Disclosure
      description: In accordance with Organization policy, Organization provides notice
        to individuals regarding legally-required disclosures of personal information.
      annotation: '1. Ensure that a process is established for disclosing user data
        in case of legal enquiries.

        2. Ensure appropriate notice is provided to the users regarding disclosure
        of their data.'
      typical_evidence: E-PRIV-05 - Legal Disclosure Process
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06:question:1
          text: 1. Inspect Organization policy related to disclosure of personal information
            to determine whether process of providing notice to individuals regarding
            legally required disclosures of personal information is documented.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-07
      name: PII Processing Agreements
      description: Personal information is handled and processed in accordance with
        contractual requirements.
      annotation: '1. Ensure that appropriate agreements are established to define
        PII processing requirements.

        2. Ensure all customers sign PII processing agreements.

        3. Ensure all PII is handled and processed as per contractual requirements.'
      typical_evidence: 'E-PRIV-06 - PII Processing Agreements

        E-PRIV-07 - Customer Sample PII Agreement'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:1
          text: 1. Inspect and validate that appropriate agreements are established
            and documented that define PII processing requirements.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:2
          text: 2. For a sample customer validate that PII processing agreement has
            been signed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:3
          text: 3. Validate that all PII is handled and processed as per contractual
            requirements and the employees are briefed of these requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-08
      name: Record of Processing Activity
      description: Organization documents, reviews, and approves a record of processing
        activities related to personal information.
      annotation: '1. Ensure appropriate process has been established to document
        and record all processing activities related to Personal Information.

        2. Ensure the records of PII processing activities are reviewed periodically
        as per contractual requirements.

        3. Ensure that the record is approved by appropriate personnel. '
      typical_evidence: E-PRIV-08 - PII Processing Records
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08:question:1
          text: 1. Inspect a sample of reviews related to processing of personal information
            and validate that it is approved by the authorized personnel.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-09
      name: 'Document Management Standard: HIPAA'
      description: Documentation that impacts personal health information, including
        policies, procedures, and the documentation of actions, activities, or assessments,
        are retained for 6 years from the date of its creation, or the date when it
        last was in effect, whichever is later.
      annotation: '1. Ensure that a process is defined and documented for retaining
        documentation related to personal health information.

        2. Ensure that this documentation is retained at least for 6 years from the
        date of creation or when it was last effective.

        3. Ensure this documentation consists of polices and procedures of actions,
        activities and/or assessments.'
      typical_evidence: E-PRIV-09 - Personal Health Information Documentation Records
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:1
          text: 1. Validate documented retention configuration is set to at least
            6 years for policies, procedures, and assessment for the documents that
            impacts personal health information.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:2
          text: '2. Inspect a sample of documentation going back to the earliest document
            or at least 6 years. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190
      ref_id: PRIV-10
      name: Law Enforcement Requests
      description: Law enforcement agencies may submit requests for evidence; submitted
        requests are reviewed and tracked to resolution.
      annotation: '1. Ensure a process is defined, documented, and approved for law
        enforcement agencies to submit evidence requests for investigation.

        2. Ensure these requests are appropriately tracked and resolved as per contractual
        and legal requirements.

        3. Ensure any evidence sharing is done via secure methods to avoid unauthorized
        access to data.

        4. Ensure only customer data relevant to the investigation is segregated and
        submitted if needed.'
      typical_evidence: 'E-PRIV-10 - Law enforcement Process



        E-PRIV-11 - Sample investigation requests

        E-PRIV-12 - Evidence Sharing method screenshot'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:1
          text: 1. Inspect and validate that a process is defined, documented, and
            approved for law enforcement agencies to submit evidence requests for
            investigation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:2
          text: 2. Validate for a sample of requests that they are appropriately tracked
            and resolved as per contractual and legal requirements.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:3
          text: 3. Validate for a sample request whether the evidence sharing was
            done via secure methods to avoid unauthorized access to data.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:4
          text: 4. Validate how customer data relevant to the investigation was segregated
            and submitted.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201
      assessable: false
      depth: 1
      name: Proactive Security
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201
      ref_id: PS-01
      name: Endpoint Detection and Response
      description: Endpoint Detection and Response (EDR) software is deployed to continuously
        monitor, detect, and respond to cyber threats and patterns of malicious behavior
        and activity.
      annotation: '1. Deploy Endpoint Detection and Response (EDR) software to continuously
        monitor, detect, and respond to cyber threats and patterns of malicious behavior
        and activity.

        2. Ensure that the EDR configurations are periodically reviewed.'
      typical_evidence: 'E-NO-01 - Network Security Standard

        E-PS-01 - Network Security Standard'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:1
          text: 1. For a sample of endpoints, validate whether Endpoint Detection
            and Response (EDR) software is installed and continuously monitor, detect,
            and respond to cyber threats and patterns of malicious behavior and activity.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:2
          text: 2. Inspect whether the EDR configurations are reviewed periodically.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201
      ref_id: PS-02
      name: Threat Hunting
      description: Organization performs threat hunting to identify, track, and disrupt
        threats that evade existing security controls.
      annotation: '1. Conduct cyber threat hunting activities according to an organization-defined
        frequency and/or organization-defined event to detect, track, and disrupt
        threats that evade existing controls.

        2. Establish a threat hunting methodology in accordance with the organization''s
        security objectives.

        3. Define threat indicator information and effective mitigations.'
      typical_evidence: 'E-PS-02 - EDR Configuration Documentation

        E-PS-03 - Threat Hunting program documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:1
          text: 1. Inspect whether cyber threat hunting activities are performed as
            per defined frequency to detect, track, and disrupt threats that evade
            existing controls.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:2
          text: 2. Validate whether a threat hunting methodology exists in accordance
            with the organization's security objectives.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:3
          text: 3. Inspect the threat indicator information and effective mitigations.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201
      ref_id: PS-03
      name: Threat Modeling
      description: Organization performs periodic threat modeling to ensure that potential
        threats are identified and assessed.
      annotation: 1. Ensure that an organization performs periodic threat modeling
        to ensure that potential threats are identified and assessed.
      typical_evidence: E-PS-04 - Threat indicator documentation
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03:question:1
          text: 1. Validate whether an organization performs threat modeling periodically
            to identify and assess potential threats.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201
      ref_id: PS-04
      name: Adversary Intelligence
      description: Organization gathers intelligence on adversary personas to assist
        in the prioritization of security activities.
      annotation: 1. Establish a process through which an organization gathers intelligence
        on adversary personas to assist in the prioritization of security activities.
      typical_evidence: E-PS-05 - Periodic Threat Modeling documentation
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04:question:1
          text: 1. Validate whether a process exists through which an organization
            gathers intelligence on adversary personas to assist in the prioritization
            of security activities.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      assessable: false
      depth: 1
      name: Risk Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-01
      name: Service Risk Rating Assignment
      description: Annually, Organization prioritizes the frequency of vulnerability
        discovery activities based on an assigned service risk rating.
      annotation: '1. Ensure Risk management standard is in place and documented which
        defines the frequency of vulnerability discovery activities based on an assigned
        service risk rating.

        2. Ensure all the identified vulnerabilities are remediated based on the risk
        rating.'
      typical_evidence: 'E-RM-01 - Vulnerability management standard

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:1
          text: 1. Validate that the organization has a defined vulnerability management
            standard.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:2
          text: 2. For a sample of vulnerabilities, test that it was remediated based
            on risk ranking.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-02
      name: Risk Assessment
      description: Organization management performs an annual risk assessment. Results
        from risk assessment activities are reviewed to prioritize mitigation of identified
        risks.
      annotation: '1. Ensure Risk Management Standard shall be in place which RM-01
        defines the requirements for annual risk assessment.

        2. Ensure that the results of risk assessment are reviewed and mitigation
        is performed on priority.

        3. Any identified issues should have a corresponding risk treatment plan or
        corrective action plan in place. Each issue shall be tracked to completion.'
      typical_evidence: 'E-RM-03 - Risk Management Standard

        E-RM-04 - Risk assessment report

        E-RM-05 - Sample evidences for the risks treatment plan for the identified
        risks'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:1
          text: 1. Validate that Risk Management Standard is in place and defines
            the requirements for annual risk assessment.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:2
          text: 2. Validate evidence for the review of results of risk assessment
            and mitigation of risks.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:3
          text: 3. Validate that any identified issues were tracked to completion,
            according to its corresponding risk treatment plan or corrective action
            plan.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-03
      name: 'Risk Assessment: HIPAA Criteria'
      description: "Organization's periodic risk assessment for systems that process,\
        \ transmit or store Protected Health Information (PHI) includes the following:\n\
        \u2022 identify and classify assets\n\u2022 identify threats\n\u2022 identify\
        \ vulnerabilities\n\u2022 identify controls\n\u2022 perform threat likelihood\
        \ analysis\n\u2022 perform threat impact analysis\n\u2022 identify residual\
        \ risk\n\u2022 identify appropriate safeguards"
      annotation: "1. Ensure risk assessment for systems that process, transmit or\
        \ store Protected Health Information (PHI) shall be in place and includes\
        \ the information listed below:\n\u2022 identify and classify assets\n\u2022\
        \ identify threats\n\u2022 identify vulnerabilities\n\u2022 identify controls\n\
        \u2022 perform threat likelihood analysis\n\u2022 perform threat impact analysis\n\
        \u2022 identify residual risk\n\u2022 identify appropriate safeguards"
      typical_evidence: E-RM-06 - Risk Assessment HIPAA Report
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:1
          text: '1. Review Risk Assessment for a sample system that process, transmit
            or store Protected Health Information (PHI) and validate whether it includes
            the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:2
          text: "\u2022 identify and classify assets"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:3
          text: "\u2022 identify threats"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:4
          text: "\u2022 identify vulnerabilities"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:5
          text: "\u2022 identify controls"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:6
          text: "\u2022 perform threat likelihood analysis"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:7
          text: "\u2022 perform threat impact analysis"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:8
          text: "\u2022 identify residual risk"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:9
          text: "\u2022 identify appropriate safeguards"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-04
      name: Continuous Monitoring
      description: The design and operating effectiveness of internal controls are
        continuously evaluated against the established Common Controls Framework by
        Organization. Corrective actions related to identified deficiencies are tracked
        to resolution.
      annotation: '1. Ensure that a process is defined and documented for the continuous
        monitoring of internal controls against the common controls framework.

        2. Ensure any gaps identified are remediated as per the organization''s policy.'
      typical_evidence: 'E-RM-07 - Compliance Review report

        E-RM-08 - Sample evidences of corrective actions taken in case of any deficiencies
        identified'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:1
          text: 1. Validate that a process is defined and documented for the continuous
            monitoring of internal controls against the common controls framework.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:2
          text: 2. For sample gaps validate that they were remediated as per the organization's
            policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-05
      name: 'Self-Assessments: PCI'
      description: "On a quarterly basis, reviews shall be performed with approved\
        \ documented specification to confirm personnel are following security policies\
        \ and operational procedures pertaining to:\n\u2022 daily log reviews\n\u2022\
        \ firewall rule-set reviews\n\u2022 applying configuration standards to new\
        \ systems\n\u2022 responding to security alerts\n\u2022 change management\
        \ processes"
      annotation: "1. Establish a quarterly process to ensure that the following policies\
        \ and operational procedures are being reviewed and approved by authorized\
        \ personnel: \n\u2022 daily log reviews\n\u2022 firewall rule-set reviews\n\
        \u2022 applying configuration standards to new systems\n\u2022 responding\
        \ to security alerts\n\u2022 change management processes"
      typical_evidence: 'E-RM-03 - Risk Management Standard

        E-RM-09 - Quarterly Review Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:1
          text: '1. Inspect whether a process exists for reviewing the following on
            a quarterly basis:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:2
          text: "\u2022 daily log reviews"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:3
          text: "\u2022 firewall rule-set reviews"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:4
          text: "\u2022 applying configuration standards to new systems"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:5
          text: "\u2022 responding to security alerts"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:6
          text: "\u2022 change management processes"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:7
          text: 2. Validate using the last review whether any deviations were noted
            and if applicable, were tracked till resolution
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-06
      name: Internal Audits
      description: Organization establishes internal audit requirements based on the
        Common Controls Framework by Organization and executes audits on information
        systems and processes at planned intervals.
      annotation: 1. Ensure that the organization sets audit rules based on its Common
        Controls Framework and conducts audits on its information systems and processes
        at scheduled times
      typical_evidence: 'E-RM-10 - Common Controls Framework

        E-RM-11 - Audit Reports and associated documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06:question:1
          text: '1. Inspect internal and external audit results. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-07
      name: ISMS Internal Audit Requirements
      description: Internal audit establishes and executes a plan to evaluate applicable
        controls in the Information Security Management System (ISMS) at least once
        every 3 years.
      annotation: '1. Ensure that the organization possesses an audit program document
        that enumerates the particular controls slated for testing within its Information
        Security Management System (ISMS).

        2. Ensure that the outcomes of internal audit for ISMS controls is reviewed
        on a periodic basis.'
      typical_evidence: 'E-RM-12 - Audit Plan

        E-RM-13 - Audit Checklist

        E-RM-11 - Audit Reports and associated documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:1
          text: '1. Inspect audit program document that lists out specific controls
            to be tested in the ISMS. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:2
          text: '2. Inspect the results of internal audit of ISMS controls and note
            the cadence of such audits. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-08
      name: Remediation Tracking
      description: Management prepares a remediation plan to formally manage the resolution
        of findings identified in risk assessment activities.
      annotation: '1. Ensure that there is a well-defined and documented remediation
        plan in place to address and resolve any findings from risk assessment activities.

        2. Ensure that the findings identified are resolved within the agreed timeframe.'
      typical_evidence: 'E-RM-14 - Remediation Plan

        E-RM-03 - Risk Management Standard

        E-RM-15 - Finding documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:1
          text: '1. Inspect documentation of remediation plan for any risk assessment
            activities. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:2
          text: 2. Validate whether the findings created are remediated in the defined
            timeframe.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-09
      name: ISMS Corrective Action Plans
      description: Management prepares a Corrective Action Plan (CAP) to manage the
        resolution of nonconformities identified in independent audits.
      annotation: 1. Ensure that there is an audit finding document generated following
        an external, independent audit and used as a basis for implementing necessary
        improvements and corrective actions.
      typical_evidence: 'E-RM-15 - Finding documentation

        E-RM-16 - Documented Corrective Action Plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:1
          text: '1. Inspect audit finding document prepared after external, independent
            audit. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:2
          text: '2. For a sample of findings, examine evidence of resolution or a
            plan of action for audit findings. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206
      ref_id: RM-10
      name: Statement of Applicability
      description: 'Management prepares a statement of applicability that includes
        control objectives, implemented controls, and business justification for excluded
        controls. Management aligns the statement of applicability with the results
        of the annual risk assessment. '
      annotation: 1. Ensure that the statement of applicability (SOA) is approved
        by the management and in alignment with the outcomes of the annual risk assessment
        to ensure consistency and relevance.
      typical_evidence: E-RM-17 - Statement of Applicability (SOA)
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:1
          text: '1. Inspect the organization''s statement of applicability (SOA) and
            compares it with the result of the annual risk assessment. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:2
          text: '2. Validate whether the statement of applicability is approved by
            management. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217
      assessable: false
      depth: 1
      name: System Design Documentation
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217
      ref_id: SDD-01
      name: System Documentation
      description: Documentation of system boundaries and key aspects of their functionality
        are published to authorized Organization personnel on the Organization intranet.
      annotation: '1. Ensure that appropriate documentation is established for system
        boundaries and key aspects of functionality.

        2. Ensure that these diagrams are available to authorized personnel through
        intranet.'
      typical_evidence: E-SDD-01 - Evidence of system diagrams
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:1
          text: 1. Inspect and validate that appropriate documentation is established
            for system boundaries and key aspects of functionality.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:2
          text: 2. Validate that these diagrams are available to authorized personnel
            through intranet.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217
      ref_id: SDD-02
      name: Whitepapers
      description: Organization publishes whitepapers to its public website that describe
        the purpose, design and boundaries of the system and system components.
      annotation: '1. Ensure that the organization''s public website have published
        whitepapers describing the purpose, design, and boundaries of the in-scope
        services and system components.

        2. Ensure that these whitepapers are reviewed periodically for accuracy and
        approved by relevant personnel prior to publishing.'
      typical_evidence: E-SDD-02 - Evidence of whitepapers
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02:question:1
          text: 1. Inspect the organization's public website to determine whether
            whitepapers for in-scope services are published.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      assessable: false
      depth: 1
      name: Security Governance
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-01
      name: Policy and Standard Review
      description: Organization's policies and standards are periodically reviewed,
        approved by management, and communicated to Organization personnel.
      annotation: '1. Ensure that the organization''s policies and standards are well-defined,
        documented and communicated with relevant personnel.

        2. Ensure that these policies and standards are reviewed periodically and
        are approved by the management.'
      typical_evidence: 'E-SG-01 - Information Security Management Standard

        E-SG-02 - Evidence of periodic review of organization''s policies and standards
        (with version history)

        E-SG-03 - Sample of communication mail sent to employees'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:1
          text: 1. Inspect organization's Policy to determine whether requirements
            for periodic reviews, management approval, and communication of policies
            and standards are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:2
          text: 2. Inspect a sample of organization's policies and standards to determine
            whether they are documented, periodically reviewed, and approved by management
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:3
          text: '3. Inspect the corporate intranet or email communication sent to
            employee that validates these policies are communicated within the organization. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-02
      name: Exception Management
      description: Organization reviews exceptions to policies, standards and procedures;
        exceptions are documented and approved based on business need and removed
        when no longer required.
      annotation: '1. Ensure that a process for the handling of exceptions is well
        defined and documented.

        2. Ensure exceptions observed have thorough documentation, approval from higher
        management, and are promptly removed when no longer needed.'
      typical_evidence: 'E-SG-01 - Information Security Management Standard

        E-SG-04 - Sample Policy Exceptions'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:1
          text: 1. Inspect organization's policy and/or standards to determine whether
            requirements to review, approve, and document exceptions to policies,
            standards, and procedures are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:2
          text: 2. Inspect a sample of exceptions to determine whether each exception
            is reviewed, approved, and documented based on business need and removed
            when no longer required.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-03
      name: Document Control
      description: Organization's document management criteria is periodically reviewed,
        approved by management, and communicated to authorized personnel; management
        determines the treatment and retention of documentation according to legal
        and regulatory requirements.
      annotation: '1. Ensure that the organization has a well defined and documented
        document management criteria.

        2. Ensure that the criteria is reviewed and approved by the management periodically.

        3. Ensure that the criteria is communicated to authorized personnel.

        4. Ensure that the documentation is treated and retained according to legal
        and regulatory requirements.'
      typical_evidence: 'E-SG-01 - Information Security Management Standard

        E-SG-05 - Document Management Criteria

        E-SG-06 - Document Retention Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:1
          text: 1. Inspect the organization's policy and/or standard to validate that
            the organization has a well defined and documented document management
            criteria.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:2
          text: 2. Validate that the criteria is reviewed and approved by the management
            periodically.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:3
          text: 3. Validate whether the criteria is communicated to authorized personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:4
          text: 4. Validate for a sample documentation that it is treated and retained
            according to legal and regulatory requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-04
      name: Information Security Program Content
      description: 'The Chief Security Officer conducts a periodic staff meeting to
        communicate and align on relevant security threats, program performance, and
        resource prioritization. '
      annotation: '1. Ensure that a process is defined and documented for conducting
        periodic staff meetings with the Chief Security Officer.

        2.Ensure that the meeting agenda consists of security threats, Information
        Security Management Program Performance and Resource Prioritization.'
      typical_evidence: 'E-SG-01 - Information Security Management Standard

        E-SG-15 - MOM of management meetings'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            conducting periodic staff meetings with the Chief Security Officer.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:2
          text: 2. Validate that the meeting agenda consists of security threats,
            Information Security Management Program Performance and Resource Prioritization
            for sample quarters.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-05
      name: Procedures
      description: Organization's key control capabilities are supported by documented
        procedures that are communicated to authorized personnel.
      annotation: '1. Ensure that a process is defined and documented so that all
        key control capabilities are supported by documented procedures.

        2. Ensure that these procedures are communicated to authorized personnel.'
      typical_evidence: E-SG-01 - Information Security Management Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:1
          text: 1. Inspect and validate that a process is defined and documented so
            that all key control capabilities are supported by documented procedures.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:2
          text: 2. Validate that these procedures are communicated to authorized personnel.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-06
      name: Proprietary Rights Agreement
      description: Organization regular employees consent to a proprietary rights
        agreement.
      annotation: "1. Ensure that all employees are required to sign a proprietary\
        \ rights agreement prior to joining the organization. \n2. Ensure that appropriate\
        \ records are maintained for retaining this information."
      typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's
        network access agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:1
          text: 1. Inspect the procedure for employees to sign proprietary rights
            agreement.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:2
          text: '2. Inspect a sample of employee''s proprietary rights agreement. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-07
      name: Review of Confidentiality Agreements
      description: The Organization Proprietary Rights Agreement and Organization
        Network Access Agreement are reviewed on a periodic basis.
      annotation: "1. Ensure all employees sign the organization's proprietary rights\
        \ agreement and network access agreement prior to joining the organization.\
        \ \n2. Ensure these agreements are updated on a need-to-know basis and communicated\
        \ to stakeholders."
      typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's
        network access agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07:question:1
          text: '1. Inspect organization''s proprietary rights agreement and network
            access agreement and check for periodic review. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-08
      name: Information Security Program
      description: Organization has an established security leadership team including
        key stakeholders in the Organization Information Security Program; goals and
        milestones for deployment of the information security program are established
        and communicated to the company through the periodic security all-hands meeting.
      annotation: "1. Ensure there is a dedicated information security management\
        \ standard which consists of requirements pertaining to security leadership\
        \ team and the establishment and communication of security goals and milestones.\
        \ \n2. Ensure the organization's information security management standard\
        \ is uploaded on corporate intranet and made available to all employees.\n\
        3. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes\
        \ are documented and communicated to relevant stakeholders."
      typical_evidence: "E-SG-01 - Information Security Management Standard\nE-SG-08\
        \ - Information Security management Standard is uploaded on intranet \nE-SG-09\
        \ - MOM of ISMS steering committee "
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:1
          text: 1. Inspect Information Security Management Standard to determine whether
            requirements for a security leadership team and the establishment and
            communication of security goals and milestones are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:2
          text: 2. Observe organization's corporate intranet to determine whether
            the Information Security Management Standard is communicated to the company.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:3
          text: 3. Inspect the most recent ISMS Steering minutes to determine the
            participation from the security leadership team, and the establishment
            and communication of security goals and milestones.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-09
      name: Accessibility Program
      description: Organization has an established accessibility leadership team including
        key stakeholders; goals and milestones for deployment of the accessibility
        program are established and communicated to the company.
      annotation: '1. Prepare a list of accessibility key stakeholders and objectives
        of accessibility program.

        2. Review ISMS standard to ensure that it includes the  information related
        to accessibility program and made available to the employees of the organization.'
      typical_evidence: E-SG-01 - Information Security Management Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:1
          text: 1. Validate that the ISMS standard lists key stakeholders and objectives
            of the accessibility program.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:2
          text: 2. Observed how the ISMS standard includes information about the accessibility
            program and whether it is readability available to employees of the organization.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-10
      name: Information Security Management System Scope
      description: Information Security Management System (ISMS) boundaries are formally
        defined in an ISMS scoping document.
      annotation: '1. Ensure a process has been defined and documented to create an
        ISMS scoping document.

        2. Ensure that this document is appropriately reviewed and updated to refelct
        accurate boundaries for the information security management system.'
      typical_evidence: E-SG-10 - ISMS Scope document
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            to create an ISMS scoping document.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:2
          text: 2. Validate whether this document was appropriately reviewed and updated.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-11
      name: Security Roles and Responsibilities
      description: Roles and responsibilities for the governance of Information Security
        within Organization are formally documented within the Information Security
        Management Standard and communicated on the Organization intranet.
      annotation: '1. Ensure organization''s information security standard consists
        of roles and responsibilities for the governance of information security within
        organization and uploaded on the corporate intranet and made available to
        all employees.

        2. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes
        are documented and communicated to relevant stakeholders.'
      typical_evidence: E-SG-10 - ISMS Scope document
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:1
          text: 1. Inspect Organization's Information Security Management Standard
            to determine whether it was communicated and defined information security
            roles and responsibilities for the governance of information security
            within Organization.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:2
          text: 2. Observed Organization's corporate intranet to determine whether
            the Information Security Management Standard is communicated to the company.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:3
          text: 3. Inspect the most recent ISMS Steering Committee Meeting minutes
            to determine the participation from the security leadership team, and
            establishment and communication of security goals and milestones.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-12
      name: 'Security Roles and Responsibilities: Risk Designations'
      description: Organization defined security roles and responsibilities are assigned
        risk designations and reviewed at least once every three years.
      annotation: 1. Ensure there is a risk management policy, and risk matrix (which
        consists of risk severity, risk treatment, risk mitigation plan, and compensatory
        control) which are updated once in every 3 years or on a need-to-know basis.
      typical_evidence: 'E-SG-11 - Risk Management Policy

        E-SG-12 - Risk Matrix '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12:question:1
          text: 1. Inspect Organization's Risk Management policy and risk control
            matrix and ensure they are updated once in every 3 years or on a need-to-know
            basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-13
      name: 'Security Roles and Responsibilities: PCI Compliance'
      description: Roles and responsibilities and a program charter for the governance
        of PCI DSS compliance within Organization are formally documented and communicated
        by management.
      annotation: 1. Define roles and responsibilities for PCI DSS governances which
        is approved by the organization's management and documented well in PCI Charter.
      typical_evidence: 'E-SG-13 - PCI charter '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13:question:1
          text: 1. Inspect Organization's PCI Charter and organization chart to determine
            that roles and responsibilities for PCI DSS governances are appropriately
            documented and disseminated by Organization Management.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-14
      name: Information Security Resources
      description: "Information systems security implementation and management are\
        \ included as part of the budget required to support the Organization\_Security\
        \ Program."
      annotation: "1. Allocate resources as per the Organization's Security program\
        \ and the defined budget. \n2. Ensure management meets monthly or on a need-to-know\
        \ basis to discuss the critical security requirements across organization\
        \ based on multiple factors as well as justifications basis which budget is\
        \ allocated for management of Organization's security program and corresponding\
        \ records are maintained.\n3. Each department spend and allocate resources\
        \ as per the defined budget and security program which aligns with the business\
        \ objectives.\n4. Ensure budget is approved by top management for spending\
        \ to be aligned with business justification."
      typical_evidence: 'E-SG-14 - Approved budget allocation documentation

        E-SG-15 - MOM of management meetings'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:1
          text: 1. Inspect all the security requirements for which budget is required
            as a part of Organization's Security program and corresponding business
            justification are identified, documented and maintained.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:2
          text: 2. Ensure that as a part of regular periodic management review meetings
            identified critical security requirements across organization are reviewed
            as well as analyzed and based on multiple factors as well as justifications
            basis which budget is allocated for management of Organization's security
            program and corresponding records are maintained.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:3
          text: 3. Inspect documentation around representation from all the key departments
            to ensure allocation of budget for security program is aligned with business
            objectives.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:4
          text: 4. Inspect the approval obtained by top management for spending of
            allocated budget to be aligned with business justification.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-15
      name: Management Review
      description: 'The Information Security Management System (ISMS) steering committee
        conducts a formal management review of ISMS scope, risk assessment activities,
        control implementation, and audit results on an annual basis. '
      annotation: '1. Conduct ISMS steering committee meeting on monthly basis or
        on a need-to-know basis to discuss and review the current scope (products
        included), audit progress, ISMS scope, risk assessment activities, control
        implementation, and audit results.

        2. Document the attendance of each member.'
      typical_evidence: 'E-SG-09 - MOM of ISMS steering committee '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:1
          text: 1. Validate that ISMS Steering committee meet at least annually, and
            inspect meeting minutes from each meeting.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:2
          text: 2. Inspect attendees of the steering committee meeting shall be documented,
            and members of the information steering committee shall include relevant
            members from the offering's organization.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:3
          text: '3. Each meeting shall include an discussion and review of current
            scope (products included), audit progress, ISMS scope, risk assessment
            activities, control implementation, and audit results. Included shall
            be action items for any audit findings. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-16
      name: Enterprise Data Catalog
      description: Organization maintains an enterprise data catalog that encompasses
        key organizational data, environment metadata, and product information to
        facilitate continuous monitoring of the internal control environment. The
        enterprise data catalog is updated as part of the continuous monitoring process
        and upon the introduction of new service offerings and acquisitions.
      annotation: '1. Ensure there is a documented enterprise data catalogue which
        consists of details that include but not limited to: key organizational data,
        environment metadata, and product information to facilitate continuous monitoring
        of the internal control environment.

        2. Ensure that the documented enterprise data catalogue is reviewed and updated
        annually or as in when required. '
      typical_evidence: 'E-SG-16 - Enterprise Data Catalogue '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:1
          text: 1. Inspect the Enterprise Data Catalog to determine that it includes
            key organizational data, environment metadata, and product information
            to facilitate continuous monitoring of the internal control environment.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:2
          text: 2. Inspect that the data catalog is reviewed and updated periodically
            and further, upon the introduction of new service offerings and acquisitions.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220
      ref_id: SG-17
      name: Software Usage Restrictions
      description: Organization maintains software license contracts and monitors
        its compliance with usage restrictions.
      annotation: '1. Ensure there is a formal documented software license agreement/policy
        which defines the criteria for the installation of software.

        2. Ensure software license agreement/policy is reviewed and updated on annual
        basis or when required.

        3. Continuous monitoring of installed software to ensure the compliance posture
        as per the defined criteria.'
      typical_evidence: 'E-SG-17 - Software License Agreement/Policy

        E-SG-18 - Software monitoring compliance report to ensure the compliance posture '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:1
          text: '1. Identify and document the inventory of software license contracts
            corresponding to different software. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:2
          text: 2. Inspect management approved procedures for license maintenance
            and usage are in place and maintained.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:3
          text: 3. Ensure that monitoring is in place to check the compliance effectiveness
            with usage restrictions defined as part of software license maintenance
            as well as usage contracts.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:4
          text: 4. Ensure monitoring records of period review/audits are maintained
            to ensure adherence to the requirements of the software license contracts
            and usage restrictions.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:5
          text: 5. Licenses and contracts are reviewed as needed, and increased supply
            of licenses and contracts are obtained if needed to meet use/demand.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      assessable: false
      depth: 1
      name: Service Lifecycle
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-01
      name: Service Lifecycle Workflow
      description: Major software releases are subject to the Service Life Cycle,
        which requires acceptance via Concept Accept and Project Plan Commit phases
        prior to implementation.
      annotation: "1. Ensure there is a documented standard for organization product\
        \ lifecycle and secure product lifecycle which consists requirements for acceptance\
        \ via concept accept and project plan commit phases prior to implementation.\n\
        2. Ensure the standard for organization product lifecycle and secure product\
        \ lifecycle are reviewed and updated as required. \n3. Implement a procedure\
        \ to document the acceptance via concept accept and project plan commit phases\
        \ prior to implementation for each and every major release."
      typical_evidence: "E-SLC-01 - Organization product lifecycle standard \nE-SLC-02\
        \ - Secure product lifecycle"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:1
          text: 1. Inspect Organization's Product Lifecycle Standard and Secure Product
            Lifecycle Standard to determine whether requirements for acceptance via
            Concept Accept and Project Plan Commit phases prior to implementation
            are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:2
          text: 2. Inspect documentation for a selection of major releases to determine
            whether it includes documentation of acceptance via Concept Accept and
            Project Plan Commit phases prior to implementation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-02
      name: Source Code Management
      description: Source code is managed with Organization-approved version control
        mechanisms.
      annotation: "1. Ensure there is a documented organization's source code security\
        \ standard and it is updated on need to know basis. \n2. Ensure source code\
        \ repositories used by service team as per the approved version control mechanisms/systems."
      typical_evidence: "E-SLC-03 - Source code standard \nE-SLC-04 - Source code\
        \ repository "
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:1
          text: 1. Inspect Organization's Source Code Security Standard to determine
            whether requirements for Organization-approved version control software
            are in place.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:2
          text: 2. For a sample of services, inspect source code repository used by
            services to determine that source code is managed with Organization-approved
            version control mechanisms/systems.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-03
      name: Secrets in Code
      description: 'Organization manages source code secrets in a centralized repository;
        secrets are rotated at least annually and immediately if the security of secrets
        is compromised. '
      annotation: '1. Each service should have a central source code repository where
        all secrets are managed.

        2. Secrets of the service are rotated once every year and in cases where the
        securiy of secrets is compromised. Logs for the same are maintained and documented.'
      typical_evidence: 'E-SLC-05 - Central Source Code Repository

        E-SLC-06 - Shared Secret Rotation Logs '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:1
          text: 1. For a sample of services, inspect the Organization's centralized
            repository to determine that source code secrets are managed in a centralized
            repository.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:2
          text: 2. Obtain evidence to validate secrets are rotated at least annually
            and immediately if the security of secrets is compromised.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-04
      name: Project Budget Approval
      description: 'Approval for project initiation and budget is obtained from IT
        management and business owners.

        '
      annotation: 1. Prepare a project management plan that includes but not limited
        to project initiation guidelines and budget from IT management and business
        owners.
      typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting

        E-SLC-08 - Formal sign-off on the project plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04:question:1
          text: 1. Obtain evidence of approval for project initiation and budget from
            IT management and business owners.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-05
      name: Project Scope Change
      description: 'Changes to finalized project scope and requirements require the
        review and approval from the business team and project manager.

        '
      annotation: '1. Prepare a project management plan that outlines the project
        scope, and requirements.

        2. Project Management plan is approved by business team.'
      typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting

        E-SLC-08 - Formal sign-off on the project plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:1
          text: 1. Review the changes that have been modified and finalized for project
            scope and requirements.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:2
          text: 2. Obtain evidence of approval from the business team and project
            management for finalization of project scope and requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-06
      name: Information System Operation Authorization
      description: Senior management authorizes the operation of new information systems,
        based on security and business requirements, prior to implementation. The
        information system authorization is refreshed every 3 years or when significant
        change occurs.
      annotation: '1. Ensure there is documented service lifecycle program which is
        updated on a need-to-know basis

        2. Ensure there is a documented information system operation authorization
        which is approved by the senior management and updated once in every 3 years
        or on a need-to-know basis.'
      typical_evidence: 'E-SLC-09 - Service Lifecycle Program

        E-SLC-10 - Information system Operation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:1
          text: 1. Inspect the approval matrix for Service Lifecycle Program Management.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:2
          text: 2. Inspect the approval matrix for Information System Operation Authorization
            by the authorized senior management to determine the operation of new
            information systems
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:3
          text: 3. Review the information system authorization is updated every 3
            years or when significant changes occurs.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238
      ref_id: SLC-07
      name: System Acquisition Approval
      description: "Information system acquisitions require approval from authorized\
        \ personnel based on verification of the following documented evidence:\n\u2022\
        \ security function, strength, and assurance requirements\n\u2022 requirements\
        \ for protecting security-related documentation\n\u2022 system development\
        \ and test requirements\n\u2022 acceptance criteria for releases\n\u2022 enumeration\
        \ of Security controls\n\u2022 security control implementation and monitoring\
        \ requirements\n\u2022 components are FIPS-201 approved"
      annotation: "1. Define and implement a procedure for the formal approval from\
        \ an authorized personnel Information system acquisitions based on verification\
        \ of the following documented evidence:\n\u2022 security function, strength,\
        \ and assurance requirements\n\u2022 requirements for protecting security-related\
        \ documentation\n\u2022 system development and test requirements\n\u2022 acceptance\
        \ criteria for releases\n\u2022 enumeration of Security controls\n\u2022 security\
        \ control implementation and monitoring requirements\n\u2022 components are\
        \ FIPS-201 approved"
      typical_evidence: 'E-SLC-11 - Formal Approval/documents from the authorized
        personnel '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:1
          text: '1. Obtain evidence of approval from authorized personnel for Information
            system acquisitions based on verification of the following documented
            evidence:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:2
          text: "\u2022 security function, strength, and assurance requirements"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:3
          text: "\u2022 requirements for protecting security-related documentation"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:4
          text: "\u2022 system development and test requirements"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:5
          text: "\u2022 acceptance criteria for releases"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:6
          text: "\u2022 enumeration of Security controls"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:7
          text: "\u2022 security control implementation and monitoring requirements"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:8
          text: "\u2022 components are FIPS-201 approved"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      assessable: false
      depth: 1
      name: Systems Monitoring
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-01
      name: Audit Logging
      description: Organization logs critical information system activity.
      annotation: "1. Ensure that the Organization's Logging Standard includes logging\
        \ requirements for critical system activity.\n2. Ensure that the following\
        \ system logging configurations (at the least, but not limited to) for a selection\
        \ of production systems to determine the following:\na. Log aggregation tool\
        \ is configured for the service.\nb. Whether the below logs are being sent\
        \ to the log aggregation tool:\ni. System OS logs\nii. AWS Config (configuration\
        \ monitoring resource in AWS)\niii. Cloud Trail (All account level activity\
        \ including API calls, IAM role/user)\niv. VPC Flow Logs (Showing all network\
        \ connections to and from a VPC)\nv. Guard Duty (AWS provided threat detection\
        \ service)\nc. PCI Specific - Whether critical information system activity\
        \ is logged such as the following:\ni. Access to all audit trails (Covered\
        \ through CloudTrail)\nii. Invalid logical access attempts.\niii. Use of and\
        \ changes to identification and authentication mechanisms, including: All\
        \ elevation of privileges. All changes, additions, or deletions to any account\
        \ with root or administrative privileges. \niv. Initialization of audit logs\n\
        v. Stopping or pausing of audit logs\nvi. Creation and deletion of system\
        \ level objects\nvii. Alerts are in place to be triggered when the aforementioned\
        \ logs are not forwarded/face an error in being sent by the log aggregation\
        \ tool."
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-02 - Logging configuration

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:1
          text: 1. Inspect Organization's Logging Standard to determine whether logging
            requirements are defined for critical system activity.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:2
          text: '2. Inspect system logging configurations for a sample of production
            systems to determine the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:3
          text: a. Log aggregation tool is configured for the service.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:4
          text: 'b. Whether the below logs are being sent to the log aggregation tool:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:5
          text: i. System OS logs
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:6
          text: ii. AWS Config (configuration monitoring resource in AWS)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:7
          text: iii. Cloud Trail (All account level activity including API calls,
            IAM role/user)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:8
          text: iv. VPC Flow Logs (Showing all network connections to and from a VPC)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:9
          text: v. Guard Duty (AWS provided threat detection service)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:10
          text: 'c. PCI Specific - Whether critical information system activity is
            logged such as the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:11
          text: i. Access to all audit trails (Covered through CloudTrail)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:12
          text: ii. Invalid logical access attempts.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:13
          text: 'iii. Use of and changes to identification and authentication mechanisms,
            including: All elevation of privileges. All changes, additions, or deletions
            to any account with root or administrative privileges. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:14
          text: iv. Initialization of audit logs
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:15
          text: v. Stopping or pausing of audit logs
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:16
          text: vi. Creation and deletion of system level objects
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:17
          text: vii. Alerts are in place to be triggered when the aforementioned logs
            are not forwarded/face an error in being sent by the log aggregation tool.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-02
      name: Secure Audit Logging
      description: Organization logs critical information system activity to a secure
        repository. Organization disables administrators ability to delete or modify
        enterprise audit logs; the number of administrators with access to audit logs
        is limited.
      annotation: '1. Ensure that Organization''s Logging Standard includes logging
        requirements for critical system activity to mandate log forwarding and storage
        in a central repository.

        2. Establish a process for periodic review of appropriate access of the administrators
        to SIEM tool.

        3.Ensure that only a defined list of users are allowed to delete/modified
        SIEM logs.'
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-04 - Access review documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:1
          text: 1. Inspect Organization's Logging Standard to determine whether logging
            requirements are defined for critical system activity to mandate log forwarding
            and storage in a central repository.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:2
          text: 2. Inspect the list of SIEM tool Administrators and validate that
            their access is appropriate.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:3
          text: 3. Validate the list of users allowed to delete/modified SIEM tool
            logs and ensure it is restricted.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-03
      name: 'Audit Logging: Cardholder Data Environment Activity'
      description: "Organization logs the following activity for cardholder data environments:\n\
        \u2022 individual user access to cardholder data\n\u2022 administrative actions\n\
        \u2022 access to logging servers\n\u2022 failed logins\n\u2022 modifications\
        \ to authentication mechanisms and user privileges\n\u2022 initialization,\
        \ stopping, or pausing of the audit logs\n\u2022 creation and deletion of\
        \ system-level objects\n\u2022 security events\n\u2022 logs of all system\
        \ components that store, process, transmit, or could impact the security of\
        \ cardholder data (CHD) and/or sensitive authentication data (SAD)\n\u2022\
        \ logs of all critical system components\n\u2022 logs of all servers and system\
        \ components that perform security functions (e.g., firewalls, intrusion-detection\
        \ systems/intrusion-prevention systems (IDS/IPS), authentication servers,\
        \ e-commerce redirection servers, etc.)"
      annotation: '1. Ensure that the following activity types are being logged in
        SIEM tool:

        a. individual user access to cardholder data

        b. administrative actions

        c. access to logging servers

        d. failed logins

        e. modifications to authentication mechanisms and user privileges

        f. initialization, stopping, or pausing of the audit logs

        g. creation and deletion of system-level objects

        h. security events

        i. logs of all system components that store, process, transmit, or could impact
        the security of cardholder data (CHD) and/or sensitive authentication data
        (SAD)

        j. logs of all critical system components

        k. logs of all servers and system components that perform security functions
        (e.g., firewalls, intrusion-detection systems/intrusion-prevention systems
        (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)'
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:1
          text: '1. Inspect SIEM Logs for a sample of in-scope production servers
            to validate that the below activity types are being logged:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:2
          text: a. individual user access to cardholder data
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:3
          text: b. administrative actions
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:4
          text: c. access to logging servers
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:5
          text: d. failed logins
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:6
          text: e. modifications to authentication mechanisms and user privileges
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:7
          text: f. initialization, stopping, or pausing of the audit logs
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:8
          text: g. creation and deletion of system-level objects
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:9
          text: h. security events
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:10
          text: i. logs of all system components that store, process, transmit, or
            could impact the security of cardholder data (CHD) and/or sensitive authentication
            data (SAD)
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:11
          text: j. logs of all critical system components
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:12
          text: k. logs of all servers and system components that perform security
            functions (e.g., firewalls, intrusion-detection systems/intrusion-prevention
            systems (IDS/IPS), authentication servers, e-commerce redirection servers,
            etc.)
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-04
      name: 'Audit Logging: Cardholder Data Environment Event Information'
      description: "Organization records the following information for confirmed events\
        \ in the cardholder data environment:\n\u2022 user identification\n\u2022\
        \ type of event\n\u2022 date and time\n\u2022 event success or failure indication\n\
        \u2022 origination of the event\n\u2022 identification of affected data, system\
        \ component, or resource"
      annotation: '1. Ensure that the below information is being logged for all critical
        security events:

        a. user identification

        b. type of event

        c. date and time

        d. event success or failure indication

        e. origination of the event

        f. identification of affected data, system component, or resource'
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:1
          text: '1. Inspect SIEM Logs for a sample of in-scope production servers
            to validate that the below information is being logged for all critical
            security events:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:2
          text: a. user identification
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:3
          text: b. type of event
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:4
          text: c. date and time
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:5
          text: d. event success or failure indication
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:6
          text: e. origination of the event
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:7
          text: f. identification of affected data, system component, or resource
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-05
      name: 'Audit Logging: Service Provider Logging Requirements'
      description: "Organization establishes unique logging and audit trails for each\
        \ entity's cardholder data environment and complies with the following:\n\u2022\
        \ logs are enabled for third-party applications\n\u2022 logs are active by\
        \ default\n\u2022 logs are available for review by and communicated to the\
        \ owning entity"
      annotation: "1. Establish a process that ensures that Organization's audit trails/audit\
        \ logs:\n\u2022 each and every third-party application for every entity.\n\
        \u2022 logs are active by default\n2. Establish a process in the Organization's\
        \ logging and monitoring mechanism which ensures that logs are reviewed periodically\
        \ and on a need-to-do basis. Additionally, the same shall be communicated\
        \ to the concerned stakeholders."
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:1
          text: '1. Inspect Organization''s audit trails/audit logs for:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:2
          text: "\u2022 each and every third-party application for every entity."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:3
          text: "\u2022 logs are active by default"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:4
          text: 2. Inspect Organization's logging and monitoring mechanism to ensure
            that logs are reviewed periodically and on a need-to-do basis. Additionally,
            validate whether the same is being communicated to the concerned stakeholders.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-06
      name: 'Configuration Management: Remote Logging'
      description: Where applicable, devices are configured to send audit log data
        to a remote server
      annotation: 1. Establish a data flow mechanism to ensure that the devices are
        configured to send audit log data to a remote server.
      typical_evidence: 'E-NO-17 - Data Flow Diagrams

        E-SM-01 - Logging Standard

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06:question:1
          text: 1. Inspect Organization's data flow mechanisms to ensure that the
            devices are configured to send audit log data to a remote server.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-07
      name: Chain of Accountability
      description: Organization implements audit trails to link authentication events
        to individuals users in production systems.
      annotation: '1. Establish organization''s logging and monitoring process.

        2. Ensure logs contain identifiers to establish audit trails to systems and
        users.'
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:1
          text: 1. Validate the organizations logging and monitoring process.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:2
          text: 2. Validate whether the logs contain identifiers to establish audit
            trails to systems and users.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-08
      name: Audit Record Time Stamps
      description: Organization records time stamps for audit records that can be
        mapped to a centralized time source.
      annotation: 1. Ensure that the time sync is enabled, stratums are defined, and
        the time servers are working.
      typical_evidence: E-SM-05 - NTP logs and configuration
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:1
          text: 1. Validate whether time sync is enabled, stratums are defined, and
            the time servers are working.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:2
          text: 2. For a sample of audit records, review time stamps to determine
            whether time stamps for audit records can be mapped to a centralized time
            source.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-09
      name: 'Log Reconciliation: CMDB'
      description: Organization reconciles the established device inventory against
        the enterprise log repository on a quarterly basis; devices which do not forward
        log data are remediated.
      annotation: '1. Design a process to prepare a quarterly Log reconciliation report
        which includes reconciliation of the established device inventory against
        the enterprise log repository.

        2. Wherever deviation is identified from the reconciliation, ensure that the
        actions are taken for remediation of the devices which do not forward log
        data.'
      typical_evidence: 'E-SM-06 - Quarterly Log reconciliation report

        E-SM-07 - Sample of remediation documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:1
          text: 1. Inspect Organization's Log reconciliation report to determine that
            the established device inventory against the enterprise log repository
            is reconciled on a quarterly basis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:2
          text: 2. Inspect the actions taken for remediation of the devices which
            do not forward log data.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-10
      name: Audit Log Capacity and Retention
      description: Organization allocates audit record storage capacity in accordance
        with logging storage and retention requirements; Audit logs are retained for
        1 year with 90 days of data immediately available for analysis.
      annotation: '1. Document Organization''s Logging Standard which includes logging
        retention requirements for critical system activity to mandate logs be available
        for a minimum for 1 year.

        2. Implement SIEM tool configuration to retrieve the relevant logs for a minimum
        period of 1 year with 90 days of logs be available for immediate analysis.'
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-02 - Logging configuration

        E-SM-03 - Sample of production server logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:1
          text: 1. Inspect Organization's Logging Standard to determine whether logging
            retention requirements are defined for critical system activity to mandate
            logs being available for a minimum for 1 year
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:2
          text: 2. Inspect sample logs for in-scope services to validate that the
            SIEM tool stores relevant logs for a minimum period of 1 year with 90
            days of logs being available for immediate analysis.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:3
          text: 3. Evaluate the SIEM tool configuration to validate the retention
            settings for 1 year.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-11
      name: Enterprise Antivirus Logging
      description: If applicable, Organization's managed enterprise antivirus deployments
        generate audit logs which are retained for 1 year with 90 days of data immediately
        available for analysis.
      annotation: '1. Enable configurations for Enterprise Antivirus solutions to
        ensure that antivirus logs are being forwarded to the SIEM

        2. Ensure that relevant logs are stored for a minimum period of 1 year with
        90 days of logs being available for immediate analysis.'
      typical_evidence: 'E-SM-08 - Enterprise Antivirus Solution configuration

        E-SM-09 - Sample of antivirus logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:1
          text: 1. Inspect configurations for Enterprise Antivirus solutions to validate
            that antivirus logs are being forwarded to SIEM.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:2
          text: 2. Inspect sample antivirus logs for in-scope services to validate
            that relevant logs are stored for a minimum period of 1 year with 90 days
            of logs being available for immediate analysis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-12
      name: Security Monitoring Alert Criteria
      description: Organization defines security monitoring alert criteria, how alert
        criteria will be flagged, and identifies authorized personnel for flagged
        system alerts.
      annotation: '1. Document Organization''s Security Monitoring Standard to include
        requirements for security monitoring alert criteria.

        2. Establish a process to periodically review and maintain a list of security
        monitoring rules.'
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-11 - List of monitoring rules

        E-SM-12 - Sample of alert rules'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for security monitoring alert criteria are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:2
          text: 2. Obtain list of security monitoring rules that are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:3
          text: 3. For a sample of alert rules from a sample of services, inspect
            the monitoring tool configuration to determine that rules are implemented
            to flag events, and notify authorized personnel.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-13
      name: Security Monitoring Alert Criteria Review
      description: Organization reviews security monitoring alert on an annual basis.
      annotation: '1. Document Organization''s Security Monitoring Standard to include
        requirements for security monitoring alert criteria.

        2. Establish a process to ensure that the monitoring tool is configured to
        review the security alerts on an annual basis by the authorized personnel. '
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-11 - List of monitoring rules

        E-SM-12 - Sample of alert rules'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for security monitoring alert criteria are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:2
          text: '2. For a sample of alert rules from a sample of services, inspect
            the monitoring tool configuration to determine that security alerts are
            reviewed on an annual basis by the authorized personnel. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-14
      name: Log-tampering Detection
      description: Organization monitors and flags tampering to the audit logging
        and monitoring tools in the production environment.
      annotation: '1. Ensure Organization''s Security Monitoring Standard to include
        requirements for monitoring and flagging, tampering to the audit logging and
        monitoring tools in the production environment.

        2. Ensure specific mechanisms to monitor and flag tampering to the audit logging
        and monitoring tools in the production environment are defined and documented.

        3. Ensure appropriate mechanisms are implemented for protecting integrity
        of logs and to prevent/detect logs from being modified/tampered at the storage
        location. Additionally, ensure such activities are recorded and controlled.

        4. Restrict and control administrative permissions to manage and modify audit
        logs to authorized personnel only.

        5. Ensure all administrative and operational activities are logged and events
        are captured to trace back to a particular user in case of any modifications/tampering
        performed.

        6. Replicate and store all applicable logs on a centralized server and restrict
        access to only authorized personnel.'
      typical_evidence: "E-SM-10 - Security Monitoring Standard\nE-SM-11 - List of\
        \ monitoring rules\nE-SM-13 - Log integrity checks \nE-SM-04 - Access review\
        \ documentation"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:1
          text: 1. Obtain relevant organizational policy/standard and ensure defined
            process regarding enabling audit logging and monitoring are adhered to.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:2
          text: 2. Validate specific mechanisms to monitor and flag tampering to the
            audit logging and monitoring tools in the production environment are defined
            and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:3
          text: 3. Validate whether appropriate mechanisms are implemented to protect
            the integrity of logs and to prevent/detect logs from being modified/tampered
            at the storage location. Additionally, ensure such activities are recorded
            and controlled.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:4
          text: 4. Inspect whether administrative permissions to manage and modify
            audit logs are restricted to authorized personnel only.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:5
          text: 5. For a sample of events, inspect whether all administrative and
            operational activities are logged and events are captured to trace back
            to a particular user in case of any modifications/tampering performed.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:6
          text: 6. Validate whether all applicable logs are replicated and stored
            on a centralized server and access is restricted to only authorized personnel,
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-15
      name: Unauthorized Devices Addition
      description: "Unauthorized devices connected to the Organization Network are:\n\
        \u2022 detected within a maximum of five minutes, and\n\u2022 the unauthorized\
        \ device is disabled, or a notification is sent to authorized Organization\
        \ personnel"
      annotation: "1. Enable Organization's monitoring tool configurations to ensure\
        \ that unauthorized devices are:\n\u2022 detected within a maximum of five\
        \ minutes, and\n\u2022 the unauthorized device is disabled, or a notification\
        \ is sent to authorized Organization personnel"
      typical_evidence: E-SM-14 - Monitoring tool configuration
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:1
          text: '1. Inspect Organization''s monitoring tool configurations to ensure
            that the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:2
          text: "\u2022 detected within a maximum of five minutes, and"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:3
          text: "\u2022 the unauthorized device is disabled, or a notification is\
            \ sent to authorized Organization personnel"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-16
      name: 'Security Monitoring Alert Criteria: Guest, Anonymous and Temp Accounts'
      description: Organization defines security monitoring alert criteria for the
        use of guest, anonymous, and temporary accounts on Organization's network.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for the use of guest,
        anonymous, and temporary accounts on Organization''s network.

        2. Ensure that the security monitoring rules are defined, enabled and alert
        applicable personnel on the use of guest, anonymous, and temporary accounts
        on Organization''s network.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: E-SM-10 - Security Monitoring Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for security monitoring alert criteria for the use
            of guest, anonymous, and temporary accounts on Organization's network
            are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on the
            use of guest, anonymous, and temporary accounts on Organization's network.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-17
      name: 'Security Monitoring Alert Criteria: VoIP Usage'
      description: Organization defines security monitoring alert criteria to detect
        deviations from Voice over IP (VoIP) activity standards.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria to detect deviations from
        Voice over IP (VoIP) activity standards are defined.

        2. Ensure that the security monitoring rules are defined, enabled and alert
        applicable personnel on deviations from Voice over IP (VoIP) activity standards.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: E-SM-10 - Security Monitoring Standard
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            requirements for security monitoring alert criteria to detect deviations
            from Voice over IP (VoIP) activity standards are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on deviations
            from Voice over IP (VoIP) activity standards.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-18
      name: 'Prohibited Activity Monitoring: Remote Access'
      description: Remote sessions are monitored for prohibited activity.
      annotation: 1. Ensure that the monitoring reports or evidence of logs from remote
        sessions are reviewed for prohibited activity.
      typical_evidence: E-SM-15 - Log evidence from remote sessions
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18:question:1
          text: 1. Review the monitoring reports or evidence of logs from remote sessions
            to determine that the remote sessions are reviewed for prohibited activity.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-19
      name: 'Prohibited Activity Monitoring: Client Run Time Technologies'
      description: Organization monitors and flags the use of prohibited client run
        time technologies on information systems.
      annotation: '1. Ensure that the monitoring software are installed on information
        systems.

        2. Enable the alerting criteria to ensure it monitors prohibited execution.'
      typical_evidence: 'E-SM-16 - Evidence of monitoring tool installation

        E-SM-17 - Alerting criteria'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:1
          text: 1. Validate and inspect if monitoring software are installed on information
            systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:2
          text: 2. Inspect the alerting criteria to ensure it monitors prohibited
            execution.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-20
      name: 'Security Monitoring Alert Criteria: Wireless Access Point'
      description: Organization defines security monitoring alert criteria for attack
        attempts against wireless access points.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for attack attempts against
        wireless access points.

        2. Ensure that the security monitoring rules are defined, enabled and alert
        applicable personnel on potential failed login attempts.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-11 - List of monitoring rules'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for security monitoring alert criteria for attack
            attempts against wireless access points are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:2
          text: 2. Obtain list of security monitoring rules that are defined.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-21
      name: 'Security Monitoring Alert Criteria: Failed Logins'
      description: Organization defines security monitoring alert criteria for failed
        login attempts on Organization's network.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for failed login attempts
        on Organization''s network.

        2. Ensure a sample of security monitoring rules, to validate that the rules
        are defined to look for and alert applicable personnel on potential failed
        login attempts.

        3. Ensure that alerts being generated are sent to the SOC team to support
        remediation.'
      typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for security monitoring alert criteria for failed
            login attempts on Organization's network.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on potential
            failed login attempts.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-22
      name: 'Security Monitoring Alert Criteria: Privileged Functions'
      description: Organization defines security monitoring alert criteria for privileged
        functions executed by both authorized and unauthorized users.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for privileged functions
        executed by both authorized and unauthorized users.

        2. Ensure that the security monitoring rules are defined, enabled and alert
        applicable personnel on privileged functions executed by both authorized and
        unauthorized users.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for privileged functions executed by both authorized
            and unauthorized users.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on privileged
            functions executed by both authorized and unauthorized users.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-23
      name: 'Security Monitoring Alert Criteria: Audit Log Integrity'
      description: Organization defines security monitoring alert criteria for changes
        to the integrity of audit logs.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for changes to the integrity
        of audit logs.

        2. Ensure that the security monitoring rules are defined, enabled and alert
        applicable personnel on changes to the integrity of audit logs.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements for changes to the integrity of audit logs.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on changes
            to the integrity of audit logs.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-24
      name: 'Security Monitoring Alert Criteria: Cardholder System Components'
      description: Organization defines security monitoring alert criteria for system
        components that store, process, transmit, or could impact the security of
        cardholder data and/or sensitive authentication data.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for security monitoring alert criteria for system components
        that store, process, transmit, or could impact the security of cardholder
        data and/or sensitive authentication data.

        2. Ensure that the security monitoring rules are defined, enabled, and alert
        applicable personnel on checks for any impact to the CDE.

        3. Ensure that alerts are being generated and sent to the SOC team to support
        remediation.'
      typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:1
          text: 1. Inspect whether the security logs from various sources are sent
            to the monitoring tool.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:2
          text: 2. Inspect a sample of security monitoring rules, to validate that
            the rules are defined to look for and alert applicable personnel on checks
            for any impact to the CDE.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:3
          text: 3. Validate that alerts being generated are sent to the SOC team to
            support remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-25
      name: System Security Monitoring
      description: Critical systems are monitored in accordance with predefined security
        criteria and alerts are sent to authorized personnel. Confirmed incidents
        are tracked to resolution.
      annotation: '1. Ensure that Organization''s Security Monitoring Standard includes
        requirements for responding to flagged system alerts and confirmed incidents.

        2. Configure security monitoring tool to ensure that critical information
        system activity is monitored.

        3. Ensure that the events are triaged and resolved by authorized personnel
        as applicable.'
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:1
          text: 1. Inspect Organization's Security Monitoring Standard to determine
            whether requirements are defined for responding to flagged system alerts
            and confirmed incidents.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:2
          text: 2. For a sample of services, inspect security monitoring tool to determine
            whether critical information system activity is monitored.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:3
          text: 3. Inspect a sample of security events to determine whether the events
            are triaged and resolved by authorized personnel as applicable.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-26
      name: Intrusion Detection Systems
      description: "Organization has an Intrusion Detection System (IDS) or Intrusion\
        \ Prevention System (IPS) deployment(s) and ensures the following:\n\u2022\
        \ signature definitions are updated including the removal of false positive\
        \ signatures\n\u2022 non-signature based attacks are defined\n\u2022 IDS/IPS\
        \ are configured to capture malicious (both signature and non-signature based)\
        \ traffic\n\u2022 alerts are reviewed and resolved by authorized personnel\
        \ when malicious traffic is detected"
      annotation: "1. Ensure that the Organization has a policy or standard that covers\
        \ the use and management of intrusion detection system (IDS) or intrusion\
        \ prevention system (IPS) tools on its in-scope systems.\n2. Ensure that there\
        \ is an intrusion detection system (IDS) or intrusion prevention system (IPS)\
        \ deployed on all in-scope systems.\n3. Ensure that IDS/IPS tool is configured\
        \ in a manner that:\n\u2022 signature definitions are updated including the\
        \ removal of false positive signatures\n\u2022 non-signature based attacks\
        \ are defined\n\u2022 IDS/IPS are configured to capture malicious (both signature\
        \ and non-signature based) traffic\n\u2022 alerts are reviewed and resolved\
        \ by authorized personnel when malicious traffic is detected\n4. Ensure that\
        \ the ability to disable IDS/IPS tools are restricted to limited personnel,\
        \ and can only be disabled with a proper justification and for a limited time."
      typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration

        E-SM-19 - Sample of alerts generated'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:1
          text: 1. Inspect the Organization has a policy or standard that details
            the use and management of intrusion detection system (IDS) or intrusion
            prevention system (IPS) tools on its in-scope systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:2
          text: 2. Obtain a list of all in-scope systems, and for a given sample,
            confirm that IDS/IPS is running on those systems, and that they are up
            to date.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:3
          text: '3. Inspect the IDS/IPS rulesets and ensure that they are configured
            with the items below:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:4
          text: "\u2022 signature definitions are updated including the removal of\
            \ false positive signatures"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:5
          text: "\u2022 non-signature based attacks are defined"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:6
          text: "\u2022 IDS/IPS are configured to capture malicious (both signature\
            \ and non-signature based) traffic"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:7
          text: "\u2022 alerts are reviewed and resolved by authorized personnel when\
            \ malicious traffic is detected"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:8
          text: 4. For a sample of alerts, confirm that they were reviewed and resolved
            by the authorized personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:9
          text: 5. Observe configuration showing that IDS/IPS tools cannot be disabled
            except by authorized personnel and can only be disabled with a proper
            justification and for a limited time.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-27
      name: System Monitoring Legal Opinion
      description: Organization obtains legal opinion with regard to monitoring activities
        in accordance with applicable requirements and mandates.
      annotation: '1. Design a legal process to ensure that only approved monitoring
        criteria is established as per applicable legal, contractual, and government
        requirements.

        2. Ensure any change in monitoring criteria takes legal sign off into consideration.'
      typical_evidence: E-SM-20 - Sample of legal sign off on monitoring criteria
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:1
          text: 1. Inspect organization's legal process to ensure approved monitoring
            criteria is established as per applicable legal, contractual, and government
            requirements.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:2
          text: 2. Validate whether any change in monitoring criteria takes legal
            sign off into consideration.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-28
      name: Privileged Session Monitoring
      description: 'Organization monitors trusted data environments for unauthorized
        logical access connections. '
      annotation: "1. Ensure that Organization's Security Monitoring standard includes\
        \ the requirements for session monitoring.\n2. Configure monitoring tool to\
        \ ensure least privileged principle is followed. \n3. Ensure that the organization\
        \ monitors trusted data environments for unauthorized logical access connections."
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-14 - Monitoring tool configuration

        E-SM-21 - Alerting criteria for unauthorized logical access connections'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:1
          text: 1. Inspect Organization's Security Monitoring standard to determine
            whether the requirements for session monitoring are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:2
          text: '2. Inspect configurations of monitoring tool to ensure least privileged
            principle is followed. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:3
          text: 3. Inspect evidence of the Organization monitoring trusted data environments
            for unauthorized logical access connections.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-29
      name: Availability Monitoring Alert Criteria
      description: Organization defines availability monitoring alert criteria, how
        alert criteria will be flagged, and identifies authorized personnel for flagged
        system alerts.
      annotation: '1. Ensure that a documented Availability Monitoring Standard is
        present including requirements defined for responding to alerts and confirmed
        incidents.

        2. Establish a process to ensure that the availability monitoring rules are
        defined and implemented to flag events, and notify authorized personnel.

        3. Ensure that the system configurations of monitoring tools include Availability
        Monitoring Alert Criteria.'
      typical_evidence: 'E-SM-22 - Availability Monitoring Standard

        E-SM-23 - Availability Monitoring Rules

        E-SM-24 - Availability Monitoring Tool Configuration'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:1
          text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\
            \ determine whether requirements for availability monitoring alert criteria\
            \ are defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:2
          text: 2. Inspect availability monitoring tool to determine whether availability
            monitoring rules are defined and implemented to flag events, and notify
            authorized personnel.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:3
          text: 3. Inspect system configurations of monitoring tools for a sample
            of services to determine whether Availability Monitoring Alert Criteria
            are configured for monitoring and alerting purposes on in-scope systems.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-30
      name: Availability Monitoring Alert Criteria Review
      description: Organization reviews availability monitoring alert criteria on
        an annual basis.
      annotation: '1. Ensure that a documented Security Monitoring Standard is present
        including process regarding availability monitoring alert criteria.

        2.. Ensure that the availability monitoring alerts are reviewed on an annual
        basis.'
      typical_evidence: 'E-SM-10 - Security Monitoring Standard

        E-SM-25 - Sample of Availability Monitoring Alerts'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:1
          text: 1. Inspect Security Monitoring Standard to ensure process regarding
            availability monitoring alert criteria is defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:2
          text: 2. Inspect evidence of availability monitoring alerts to ensure it
            is reviewed on an annual basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-31
      name: System Availability Monitoring
      description: Critical systems are monitored in accordance with predefined availability
        criteria and alerts are sent to authorized personnel.
      annotation: '1. Ensure that a documented Availability Monitoring Standard is
        present including requirements defined for responding to alerts and confirmed
        incidents.

        2. Ensure that a process has been established which generates alerts against
        the availability incidents identified.

        3. Ensure that the alerts are resolved in a timely manner by authorized personnel.'
      typical_evidence: 'E-SM-22 - Availability Monitoring Standard

        E-SM-26 - Sample of Availability Incident Tickets'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:1
          text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\
            \ determine whether requirements are defined for responding to alerts\
            \ and confirmed incidents."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:2
          text: 2. Inspect a sample of availability incident tickets from alerts generated
            to determine whether the alerts were resolved in a timely manner by authorized
            personnel.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246
      ref_id: SM-32
      name: 'Remote Access: Activity Log Audit'
      description: Logs from remote sessions are audited for prohibited activity on
        a weekly basis.
      annotation: 1. Establish a process that ensures the logs from remote sessions
        be reviewed for prohibited activity on a weekly basis.
      typical_evidence: 'E-SM-01 - Logging Standard

        E-SM-27 - Remote Session logs

        E-SM-28 - Periodic log review documentation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32:question:1
          text: 1. Inspect evidence of logs of remote sessions to determine that the
            logs are reviewed for prohibited activity on a weekly basis.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      assessable: false
      depth: 1
      name: Site Operations
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-01
      name: Secured Facility
      description: Physical access to restricted areas of the facility is protected
        by walls with non-partitioned ceilings, secured entry points, and/or manned
        reception desks.
      annotation: '1. Ensure that the Organization-owned data center facility is protected
        with: Non-partitioned ceilings Secured entry points; and/or Manned reception
        desks. '
      typical_evidence: E-SO-01 - Images/Physical inspection confirming Non-partitioned
        ceilings Secured entry points; and/or Manned reception desks
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01:question:1
          text: '1. Observe the Organization-owned data center facility to determine
            whether the facility is protected with: Non-partitioned ceilings Secured
            entry points; and/or Manned reception desks. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-02
      name: Physical Protection and Positioning of Cabling
      description: Organization power and telecommunication lines are protected from
        interference, interception, and damage.
      annotation: 1. Ensure that the Organization-owned data center facility has power
        and telecommunication lines tagged and labelled properly to  protect from
        interference, interception, and damage.
      typical_evidence: E-SO-02 - Images/Physical inspection confirming data center
        facility has power and telecommunication lines tagged and labelled
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02:question:1
          text: 1. Inspect Organization-owned data center facility to determine whether
            power and telecommunication lines are tagged and labelled properly to  protect
            from interference, interception, and damage.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-03
      name: 'Global Coordination of Critical Functions: Information Security Safeguards'
      description: Organization consistently applies information security safeguards
        in datacenters and campuses.
      annotation: "1. Ensure that information security safeguards are in place in\
        \ datacenters and campuses including but not limited to : \nAccess Machines\
        \ at entry/exit\nFire extinguishers\nFire Alarms etc."
      typical_evidence: E-SO-03 - Images/Physical inspection confirming information
        security safeguards in place at Access Machines at entry/exit, Fire extinguishers,
        Fire Alarms etc.
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:1
          text: '1 Observe whether information security safeguards are in place in
            datacenters and campuses including but not limited to : '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:2
          text: Access Machines at entry/exit
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:3
          text: Fire extinguishers
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:4
          text: Fire Alarms etc.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-04
      name: Provisioning Physical Access
      description: "Physical access provisioning to an Organization datacenter requires\
        \ management approval and documented specification of: \n\u2022 account type\
        \ (e.g., standard, visitor, or vendor)\n\u2022 access privileges granted\n\
        \u2022 intended business purpose\n\u2022 visitor identification method, if\
        \ applicable\n\u2022 temporary badge issued, if applicable\n\u2022 access\
        \ start date\n\u2022 access duration"
      annotation: '1. Ensure all physical access to organization data centers have
        management approval and documentation.

        2. Ensure physical access is granted after appropriate approvals.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-09 - Approval evidences for physical access'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:1
          text: '1. Inspect the physical security system workflow to determine whether
            requests for physical access required management approval and required
            documented specification of:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:2
          text: "\u2022Account type (e.g., visitor, vendor, or regular)."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:3
          text: "\u2022Access privileges granted."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:4
          text: "\u2022Intended business purpose."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:5
          text: "\u2022Visitor identification method, if applicable."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:6
          text: "\u2022Temporary badge issued, if applicable."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:7
          text: "\u2022Access start date."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:8
          text: "\u2022Access duration."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:9
          text: '2. Inspect physical access request documentation for a sample of
            new physical access requests to the Organization-owned data center and
            data rooms to determine whether access is approved. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-05
      name: De-provisioning Physical Access
      description: Physical access that is no longer required in the event of a termination
        or role change is revoked. If applicable, temporary badges are returned prior
        to exiting facility.
      annotation: '1. Design and document a process for temporary badges being returned
        prior to exiting the facility.

        2. Ensure access is revoked in case of employee termination or role change.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-10 - De-provisioning evidences'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:1
          text: 1. Inspect Physical Access Policy to determine whether it contains
            the requirement for temporary badges to be returned prior to exiting the
            facility.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:2
          text: '2. Obtain evidence to ensure no physical access is active for the
            terminated employees or unnecessary physical access for employees with
            a change in their roles and responsibilities. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-06
      name: Periodic Review of Physical Access
      description: Organization performs physical account and access reviews on a
        quarterly basis; corrective action is taken where applicable.
      annotation: '1. Design and document a process for physical access review and
        frequency.

        2. Ensure access review is performed as per defined frequency and necessary
        action is taken, if required..'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-11 - Physical Access Review evidence

        E-SO-12 - termination Process Evidence for sample employees'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:1
          text: "1. Inspect Organization\u2019s Physical Access Policy to determine\
            \ whether requirements for physical access review are defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:2
          text: 2. Inspect quarterly physical access review documentation for a sample
            of quarters and a sample of Organization-owned data rooms to determine
            whether the access review is completed, and corrective actions is documented
            and resolved for any access that should be revoked.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-07
      name: Physical Access Role Permission Authorization
      description: Initial permission definitions, and changes to permissions, associated
        with physical access roles are approved by authorized personnel.
      annotation: '1. Ensure all physical access to organization data centers have
        management approval and documentation.

        2. Ensure physical access is granted after appropriate approvals.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-09 - Approval evidences for physical access'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:1
          text: 1 Inspect the physical security system workflow to determine whether
            requests for physical access require approval.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:2
          text: 2 Inspect an approval of authorized personnel, for any initial permission  or
            modifications of permissions, ensure they are associated to physical access
            roles.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-08
      name: Monitoring Physical Access
      description: Intrusion detection and video surveillance are installed at Organization
        datacenter locations; confirmed incidents are documented and tracked to resolution.
      annotation: '1. Ensure that the Organization data center intrusion detection
        and video surveillance system are installed at Organization data center.

        2. Ensure that event logs are used for resolution of incidents.'
      typical_evidence: 'E-SO-04 - Sample CCTV video of data center from intrusion
        detection and video surveillance system

        E-IR-07 - Logs of Incident maintained'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:1
          text: 1. Observe the Organization data center intrusion detection and video
            surveillance system to determine whether intrusion detection and video
            surveillance systems are installed at Organization data center.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:2
          text: 2. If applicable, for a sample of incident observe that event logs
            were used for the resolution of the incident.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-09
      name: Surveillance Feed Retention
      description: Surveillance feed data is retained for 90 days.
      annotation: 1. Ensure that surveillance feed data is stored for 90 days.
      typical_evidence: E-SO-05 - Configuration from the camera management system
        that shows that it is configured to retain surveillance video data for 90
        days
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:1
          text: 1. Observe a sample of video footage showing the date and timestamp
            from the day of collection and one that is from 90 days before that.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:2
          text: 2. Observe a configuration from the camera management system that
            shows that it is configured to retain surveillance video data for 90 days
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-10
      name: Visitor Access
      description: Physical access for visitors is managed through monitoring, maintaining
        records, escorting, and reviewing access monthly. Visitor access records to
        the facilities are kept for at least a year.
      annotation: '1. Design and document the requirement for visitor access, maintaining
        records, escorting, and reviewing access monthly.

        2. Ensure visitor access is approved, with an escort.

        3. Ensure monthly access reviews are performed.

        4. Ensure retention of visitor access for at least a year.'
      typical_evidence: "E-SO-08        - \nE-SO-13 - Visitor Approval records\nE-SO-14\
        \ - Visitor access monthly reviews"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:1
          text: 1. Inspect Physical Access Policy to determine whether it contains
            the requirement for visitor access, maintaining records, escorting. and
            reviewing access monthly.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:2
          text: 2. Obtain and validate evidence that visitor access is approved, with
            an escort.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:3
          text: 3. Obtain and validate evidence of monthly access reviews.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:4
          text: 4. Obtain and validate evidence of retention of visitor access for
            at least a year.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-11
      name: Physical Access Devices
      description: Physical access devices (i.e., keys, combinations, access cards,
        etc.) are maintained through an inventory and restricted to authorized individuals.
        Appropriate devices are rotated when compromised or upon employee termination
        or transfer.
      annotation: '1. Ensure inventory of physical access devices is maintained.

        2. Ensure access to inventory is limited to authorized personnel.

        3. Ensure rotation of physical access devices when compromised, or employee
        termination or transfer.'
      typical_evidence: 'E-SO-15 - List of physical devices

        E-SO-16 - Access list to inventory

        E-SO-17 - Evidence of Key Rotation when compromised/ employee termination
        or transfer'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:1
          text: 1 Inspect the list of physical access devices.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:2
          text: 2 Inspect the list of individuals who has an access to physical devices.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:3
          text: 3 Inspect whether physical access devices were rotated when compromised
            or upon employee termination or transfer.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-12
      name: Temperature and Humidity Control
      description: Temperature and humidity levels of datacenter environments are
        monitored and maintained at appropriate levels.
      annotation: "1. Ensure temperature and humidity monitoring system configurations\
        \ at organization-owned data center are set to determine whether temperature\
        \ and humidity levels are being monitored and configured to alert appropriate\
        \ personnel when temperature or humidity levels exceed set limits. \n2.Ensure\
        \ that temperature and humidity alarms are generated over the threshold."
      typical_evidence: 'E-SO-18 - Temperature and Humidity configuration

        E-SO-19 - Temperature and Humidity Threshold defined in system

        E-SO-20 - Temperature and Humidity Alarms triggered and remediation'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:1
          text: '1. Inspect the temperature and humidity monitoring system and configurations
            at organization-owned data center to determine whether temperature and
            humidity levels are being monitored and configured to alert appropriate
            personnel when temperature or humidity levels exceed set limits. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:2
          text: 2.Inspect the temperature and humidity alarms generated over the threshold
            to determine if any alarms were triggered.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-13
      name: Fire Suppression Systems
      description: Emergency responders are automatically contacted when fire detection
        systems are activated; the design and function of fire detection and suppression
        systems are maintained at appropriate intervals.
      annotation: '1. Ensure fire detection systems are in place and emergency responders
        are contacted, if required.

        2. Ensure detection and suppression systems are tested at regular intervals.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-06 - Images/Physical inspection confirming the fire detection/suppression
        systems in use at the Organization-owned data center

        E-SO-21 - fire suppression/detection certifications '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:1
          text: 1. Inspect Organization's Physical Security Policy, Alarm Management
            and System Maintenance Standard to determine whether requirements for
            fire detection/suppression systems are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:2
          text: 2. Observe the fire detection/suppression systems in use at the Organization-owned
            data center to determine whether they are in place.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:3
          text: 3. Inspect the fire detection system monitoring contract in place
            to determine whether Organization has contracted with a third party to
            monitor fire detection systems for the Organization-owned data center.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:4
          text: 4. Inspect fire suppression/detection certifications at the Organization
            owned data center to determine whether the design and function of these
            systems are tested at appropriate intervals.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-14
      name: Power Failure Protection
      description: Organization employs uninterruptible power supplies (UPS) and generators
        to support critical systems in the event of a power disruption or failure.
        The design and function of relevant equipment is certified at appropriate
        intervals.
      annotation: '1. Ensure UPS and generators are employed to support critical systems
        in the event of a power disruption or failure.

        2. Ensure that UPS and generator are certified at appropriate intervals.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-07 - Images/Physical inspection confirming UPS and generators at a selection
        of Organization-owned data center

        E-SO-22 - UPS and generator maintenance certificates'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:1
          text: 1. Observe the UPS and generators at a sample of Organization-owned
            data center and data rooms to determine whether they are employed to support
            critical systems in the event of a power disruption or failure.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:2
          text: 2. Inspect UPS and generator certifications for in-scope Organization
            owned-data center and data rooms to determine whether the equipment is
            certified at appropriate intervals.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-15
      name: Emergency Shutoff
      description: Organization employs emergency power shut-off capabilities. Access
        to shut off power is restricted to authorized individuals.
      annotation: '1. Ensure process is documented for emergency power shut-off.

        2. Ensure access to shut-off power is limited to authorized personnel.'
      typical_evidence: 'E-SO-08 - Physical Access Policy

        E-SO-23 - List of authorized personnel with access to shut-off power'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:1
          text: 1 Inspect documentation related to emergency power shut-off capabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:2
          text: 2 Obtain and validate a list of authorized personnel who have access
            to shut off power.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279
      ref_id: SO-16
      name: Emergency Lighting
      description: Organization employs emergency lighting in the event of a power
        disruption or failure. The design and function of relevant equipment is certified
        at appropriate intervals.
      annotation: 1. Ensure emergency lighting equipment's are tested at regular intervals.
      typical_evidence: E-SO-24 - Emergency lighting equipment certificates
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16:question:1
          text: 1 Inspect certification of relevant equipment which may be used during
            emergency lighting in the event of a power disruption or failure.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      assessable: false
      depth: 1
      name: Training and Awareness
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-01
      name: General Security Awareness Training
      description: Organization personnel complete security awareness training, which
        includes annual updates about relevant policies and how to report security
        events to the authorized response team. Records of training completion are
        documented and retained for tracking purposes.
      annotation: "1. Ensure that the requirements for completion of security awareness\
        \ training are defined in the Organization\u2019s Compliance Training Policy\
        \ and Security Awareness Training Standard.\n2. Ensure that the Organization's\
        \ Security Awareness Training Material is well defined, documented, and up\
        \ to date.\n3. Ensure that there is a record of active employees and contractors\
        \ maintained and updated by the organization.\n4. Ensure that security awareness\
        \ training is provided on a regular basis and the progress of all contractors\
        \ and employees participating in the training tracked and documented.."
      typical_evidence: 'E-TA-01 - Compliance Training Policy





        E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:1
          text: "1. Inspect Organization\u2019s Compliance Training Policy and Security\
            \ Awareness Training Standard to determine whether requirements for completion\
            \ of security awareness training are defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:2
          text: "2. Inspect Organization\u2019s Security Awareness Training material\
            \ to determine whether it details: Version history of the SAT to determine\
            \ materials are updated during the audit period. How to report security\
            \ events to the appropriate response team"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:3
          text: 3. Obtain the list of active employees and contractors.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:4
          text: 4. For a sample of active employees and contractors, obtain and inspect
            the security awareness training completion records to determine whether
            training is completed annually and completion is tracked and documented.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-02
      name: Code of Conduct Training
      description: Organization full-time and temporary employees and interns complete
        a code of business conduct training.
      annotation: '1. Ensure that requirements for completion of business code of
        conduct training are defined with the organization''s Compliance Training
        Policy.

        2. Ensure that the training material for the Organization''s Code of Business
        Conduct outlines the responsibilities of both full-time and temporary employees
        in adhering to the code.

        3. Ensure employees have completed the Code of Business Conduct training as
        per the policy by examining  training completion records for a group of new
        and existing employees.'
      typical_evidence: 'E-TA-01 - Compliance Training Policy





        E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:1
          text: "1. Inspect Organization\u2019s Compliance Training Policy to determine\
            \ whether requirements for completion of business code of conduct training\
            \ are defined."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:2
          text: "2. Inspect Organization\u2019s Code of Business Conduct training\
            \ material to determine whether it includes Organization full-time and\
            \ temporary Employees\u2019 responsibilities for adhering to the business\
            \ code of conduct."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:3
          text: 3. Inspect Code of Conduct training completion records for a selection
            of new and current employees to determine whether new hires and existing
            employees have completed Code of Business Conduct training in accordance
            with the policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-03
      name: Accessibility Training
      description: Organization personnel complete accessibility awareness training,
        which includes annual updates about relevant policies and how to report accessibility
        events internally. Records of training completion are documented and retained
        for tracking purposes.
      annotation: '1. Ensure that the training material includes information about
        annual updates to relevant policies and instructions on how to report accessibility
        events internally.

        2. Ensure that well defined and documented records of training completion
        are maintained by the organization.'
      typical_evidence: 'E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:1
          text: '1 Inspect training material to determine whether it detailed annual
            updates about relevant policies and how to report accessibility events
            internally. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:2
          text: 2 Inspect training completion records for a sample of employees.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-04
      name: Phishing Awareness
      description: Organization performs periodic phishing campaigns.
      annotation: 1. Ensure that the organization conducts regular phishing campaigns
        to help employees get better at spotting and handling real phishing threats
      typical_evidence: E-TA-04 - Evidence of phishing campaigns set up by the organization
        (Eg - mails sent etc)
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04:question:1
          text: 1. Verify that the organization performs periodic phishing campaigns
            to evaluate and improve their employees' ability to recognize and respond
            to real phishing threats.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-05
      name: Developer Security Training
      description: Organization's software engineers are required to complete training
        based on secure coding techniques on an annual basis.
      annotation: '1. Ensure that review of the security training material includes
        guidance on yearly Secure Coding Training for PCI developers and software
        engineers.

        2. Ensure that the secure coding training was provided and completed by the
        employees within the last 365 days.

        3. Make sure that engineers are registered for the Security Engineering Training
        program as required.'
      typical_evidence: 'E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:1
          text: 1. Inspect the Security Training Material to validate that the standard
            provides guidance on annual Secure Coding Training for PCI developers
            and software engineers.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:2
          text: 2. For a sample of employees obtain evidences showing secure coding
            training completion. Validate that the date of completion is in the last
            365 days.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:3
          text: 3. Ensure that all engineers are enrolled in the Security Engineering
            Training program as needed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-06
      name: Payment Card Processing Security Awareness Training
      description: "Organization personnel that interact with cardholder data systems\
        \ receive awareness training to be aware of attempted tampering or replacement\
        \ of devices. Training should include the following:\n\u2022 verify the identity\
        \ of third-party persons claiming to be repair or maintenance personnel, prior\
        \ to granting them access to modify or troubleshoot devices.\n\u2022 do not\
        \ install, replace, or return devices without verification\n\u2022 be aware\
        \ of suspicious behavior around devices (e.g., attempts by unknown persons\
        \ to unplug or open devices)\n\u2022 report suspicious behavior and indications\
        \ of device tampering or substitution to authorized personnel (e.g., to a\
        \ manager or security officer)"
      annotation: "1. Ensure that the training materials to check if they cover the\
        \ following topics:\n\u2022 Confirming the identity of third-party repair\
        \ or maintenance personnel before giving them access to devices.\n\u2022 Not\
        \ making changes or returning devices without proper verification.\n\u2022\
        \ Being alert to unusual behavior around devices, like unauthorized attempts\
        \ to tamper with them.\n\u2022 Reporting any suspicious behavior or signs\
        \ of device tampering to authorized personnel, such as a manager or security\
        \ officer."
      typical_evidence: 'E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:1
          text: '1 Inspect training material to determine whether it detailed:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:2
          text: "\u2022 verify the identity of third-party persons claiming to be\
            \ repair or maintenance personnel, prior to granting them access to modify\
            \ or troubleshoot devices."
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:3
          text: "\u2022 do not install, replace, or return devices without verification"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:4
          text: "\u2022 be aware of suspicious behavior around devices (e.g., attempts\
            \ by unknown persons to unplug or open devices)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:5
          text: "\u2022 report suspicious behavior and indications of device tampering\
            \ or substitution to authorized personnel (e.g., to a manager or security\
            \ officer)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:6
          text: 2 Inspect training completion records for a selection of employees.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-07
      name: 'Role-based Security Training: HIPAA'
      description: Organization personnel with access to personal health information
        (PHI) are required to attend and complete HIPAA privacy training.
      annotation: "1. Ensure access to sensitive information including (PHI) is given\
        \ to limited employees (based on roles and responsibilities) and records for\
        \ the same shall be maintained. \n2. Ensure all employee that accesses PHI\
        \ shall complete mandatory training of HIPAA security and privacy.\n3. Training\
        \ records for the same needs to be maintained for tracking purpose."
      typical_evidence: 'E-TA-05 - Access records who have access to PHI

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:1
          text: 1. Inspect the population of Organization personnel who have access
            to PHI.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:2
          text: '2. Inspect completion records for a sample of employees with access
            to PHI, for evidence that the employees had completed HIPAA security and
            privacy training. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-08
      name: Role-based Security Training
      description: "Organization personnel with key security responsibilities complete\
        \ relevant role-based training on an annual basis:\n\u2022 personnel must\
        \ complete training prior to obtaining access to privileged security systems\n\
        \u2022 personnel with contingency responsibilities must complete role-based\
        \ training within 10 days of assuming the role\n\u2022 records of training\
        \ completion are documented and retained for tracking purposes"
      annotation: '1. Ensure role-based training material contains details around
        key security responsibilities.

        2. Training records for each employee shall be maintained for future tracking.'
      typical_evidence: 'E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:1
          text: 1 Inspect training material to determine whether it detailed key security
            responsibilities relevant to role-based trainings.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:2
          text: 2 Inspect training completion records for a sample of employees.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296
      ref_id: TA-09
      name: Security Champion Training
      description: Service teams select a "Security Champion" to ensure security engagement
        responsibilities are assigned and tracked to completion; Security Champions
        receive training on how to execute responsibilities.
      annotation: '1. Ensure there is a process by which the service teams select
        a "Security Champion" and they complete their security champions training.

        2. Maintain training records for the Security Champions.'
      typical_evidence: 'E-TA-02 - Training Material

        E-TA-03 - Training Records'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:1
          text: '1. Inspect documentation related to Security Champions and verify
            that they are defined for selected service teams. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:2
          text: 2. Inspect training completion records for a sample of Security Champions.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      assessable: false
      depth: 1
      name: Third-Party Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-01
      name: Third-Party Assurance Review
      description: On a periodic basis, management reviews controls within third-party
        assurance reports to ensure that they meet organizational requirements; if
        control gaps are identified in the assurance reports, management takes action
        to address impact the disclosed gaps have on the organization.
      annotation: "1. Ensure there is a documented procurement policy and information\
        \ security standard which consists information that includes but not limited\
        \ to third-party assurance reviews. \n2. Ensure a formal questionnaire is\
        \ prepared, which will be used for assessing third-party risks during the\
        \ onboarding process.\n \n3. Ensure there is an action plan for control gaps\
        \ identified at the time of vendor security review for their third-party controls.\n\
        \ "
      typical_evidence: "E-TPM-01 - Procurement Policy \nE-TPM-07  - \nE-TPM-02 -\
        \ Questionnaire for assessing third party risks\nE-TPM-03  - "
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:1
          text: 1. Inspect Organization Procurement Policy and Vendor Information
            Security Standard to determine whether requirements for third-party assurance
            reviews are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:2
          text: 2. Observe Organization Risk Assessment system to determine whether
            a questionnaire for systematically assessing third-party risks is defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:3
          text: "3. For a sample of vendors, inspect whether the corresponding Vendor\
            \ Security Review (VSR) is completed to determine whether management has\
            \ assessed the third party\u2019s controls to determine Organization requirements\
            \ are met and management took action on control gaps as applicable."
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-02
      name: Vendor Risk Management
      description: Organization performs a risk assessment to determine the data types
        that can be shared with a managed service provider.
      annotation: '1. Ensure there is process to conduct vendor security review and
        all vendors must go through the review; records for documentation and risk
        rating needs to be maintained. '
      typical_evidence: E-TPM-04 - Vendor Security Reviews Evidence
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:1
          text: 1. Validate for a sample for service providers that an assessment
            was conducted and a risk rating is assigned to them as part of the VSR
            process.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:2
          text: 2. Validate that the vendors are listed in the vendor management tool
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-03
      name: Forensic Investigations
      description: Organization enables procedures to conduct a forensic investigation
        in the event that a hosted merchant or service provider is compromised.
      annotation: "1. Ensure there is documented process for conducting a forensic\
        \ investigation in the event when a hosted merchant or service provider is\
        \ compromised. \n2. Ensure documentation for the same needs to be maintained\
        \ for tracking purposes and corrective actions."
      typical_evidence: "E-TPM-05 - Forensic investigation process document \nE-TPM-06\
        \ - \n\nSample Forensic Investigations"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:1
          text: 1. Inspect documentation to determine whether procedures to conduct
            a forensic investigation in the event when a hosted merchant or service
            provider is compromised, are defined.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:2
          text: 2. For sample investigations validate whether appropriate documentation
            is retained.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-04
      name: Privacy Risk Assessment
      description: Organization reviews the privacy practices of service providers
        who access, collect, process, transfer, or store personal information on Organization's
        behalf upon initial procurement and renewal; non-compliance is tracked through
        remediation.
      annotation: "1. Ensure that a process is defined and documented to review the\
        \ privacy practices of service providers who access, collect, process, transfer,\
        \ or store personal information on Organization's behalf.\n2. Ensure that\
        \ the reviews are conducted at the time of initial procurement and at renewal.\n\
        3. Ensure that any non-compliances are tracked to remediation.\n "
      typical_evidence: "E-TPM-07  - \nE-TPM-08 - Privacy Review Evidence\nE-TPM-09\
        \ - Remediation Evidence of non-compliances identified during Vendor Security\
        \ Reviews"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:1
          text: 1. Inspect and validate that a process is defined and documented to
            review the privacy practices of service providers who access, collect,
            process, transfer, or store personal information on Organization's behalf.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:2
          text: 2. Validate for a sample vendor that the reviews are conducted at
            the time of initial procurement and at renewal.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:3
          text: 3. Validate for a sample non-compliance event that it was tracked
            to remediation.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:4
          text: ' '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-05
      name: 'Network Access Agreement: Vendors'
      description: Third-party entities which gain access to the Organization network
        sign a network access agreement.
      annotation: 1. Ensure that all third-party vendors sign the network access agreement
        before accessing the organization's network.
      typical_evidence: E-TPM-10 - Network access Agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05:question:1
          text: 1. For a sample of vendors validate whether a signed Network Security
            Agreement Exists prior to onboarding.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-06
      name: Vendor Non-disclosure Agreements
      description: Agency temporary workers, independent contractors, and third-party
        entities consent to a non-disclosure clause.
      annotation: 1. Ensure that a process is defined and documented for all agency
        temporary workers and independent contractors to sign a non-disclosure clauses
        before accessing the organization's network.
      typical_evidence: E-TPM-11 - Sample Agreements for temporary workers
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:1
          text: 1. Obtain listings of agency temporary workers and independent contractors
            from the Contingent Workforce team
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:2
          text: 2. For a sample of agency temporary workers, independent contractors,
            inspect Agreement to determine that non-disclosure clause is acknowledged.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-07
      name: Cardholder Data Security Agreement
      description: Organization managed service providers that manage, store, or transmit
        cardholder data on behalf of the customer must provide written acknowledgement
        to customers of their responsibility to protect cardholder data and the cardholder
        data environment.
      annotation: 1. Ensure that a process is defined and documented for all the managed
        service providers that manage, store, or transmit cardholder data on behalf
        of the customer to provide a written acknowledgement to customers of their
        responsibility to protect cardholder data and the cardholder data environment.
      typical_evidence: E-TPM-12 - Evidence to Acknowledgement to Customers for Card
        Holder Data responsibilities
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07:question:1
          text: 1. Validate for a sample Managed Service Provider that they have provided
            acknowledgement to customers of their responsibility to protect cardholder
            data and the cardholder data environment.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-08
      name: HIPAA Business Associate Agreement
      description: "Organization Business Associate Agreements must contain provisions\
        \ for the following:\n\u2022 permitted uses and disclosures of Protected Health\
        \ Information (PHI)\n\u2022 PHI safeguards to prevent unauthorized use or\
        \ disclosure\n\u2022 communications regarding the unauthorized use or disclosure\
        \ of PHI\n\u2022 PHI availability\n\u2022 contract termination and disposition\
        \ of PHI"
      annotation: "1. Ensure there is a documented business associate agreement which\
        \ includes clauses but not limited to :\n\u2022 permitted uses and disclosures\
        \ of Protected Health Information (PHI)\n\u2022 PHI safeguards to prevent\
        \ unauthorized use or disclosure\n\u2022 communications regarding the unauthorized\
        \ use or disclosure of PHI\n\u2022 PHI availability\n\u2022 contract termination\
        \ and disposition of PHI\n2. Ensure that a process is defined for all business\
        \ associates to sign and acknowledge to this agreement"
      typical_evidence: 'E-TPM-13 - Business Associate Agreement '
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:1
          text: '1. Inspect Organization''s Business Associate Agreements and validate
            that it includes the following:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:2
          text: "\u2022 permitted uses and disclosures of Protected Health Information\
            \ (PHI)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:3
          text: "\u2022 PHI safeguards to prevent unauthorized use or disclosure"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:4
          text: "\u2022 communications regarding the unauthorized use or disclosure\
            \ of PHI"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:5
          text: "\u2022 PHI availability"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:6
          text: "\u2022 contract termination and disposition of PHI"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:7
          text: 2. For a sample business associate validate that they have signed
            the said agreement.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-09
      name: HIPAA Business Associate Subcontractor Agreement
      description: Organization requires a Business Associate Subcontractor Agreement
        with Business Associates from which it receives or transmits protected health
        information (PHI); Business Associates under contract are required to provide
        assurance that they adhere to Organization's security standards, which includes
        the security of PHI and reporting security events that potentially expose
        PHI.
      annotation: '1. Ensure there is a documented business associate subcontractor
        agreement which includes, but not limited to: security of PHI and reporting
        of security events that potentially exposes PHI.

        2. Ensure that all business associates are under this agreement and provide
        assurance that they adhere to Organization''s security standards.'
      typical_evidence: E-TPM-14 - Business Associate Subcontractor Agreement document
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:1
          text: 1. Inspect Organization's Business Associate Subcontractor Agreement
            document.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:2
          text: 2. Inspect an executed agreement for Organization's Business Associate,
            for evidence that Business Associates provide Assurance that they comply
            with Organization's security standards, which includes the security of
            PHI and reporting security events that potentially expose PHI.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-10
      name: Network Service Level Agreements (SLA)
      description: Vendors providing networking services to Organization are contractually
        bound to provide secure and available services as documented in SLAs.
      annotation: '1. Ensure that a process is defined and documented for ensuring
        SLA in case of network services.

        2. Ensure appropriate contracts are created with network service providers
        to ensure availability of network services.

        3. Ensure appropriate monitoring is enabled to identify any network downtime
        and SLA breaches.'
      typical_evidence: "E-TPM-15 - Vendor SLA document \nE-TPM-16 - Results of Network\
        \ Configuration Monitoring"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:1
          text: 1. Inspect and a validate that a process is defined and documented
            for ensuring SLA in case of network services.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:2
          text: 2. Validate for a sample vendor that contracts are created to ensure
            availability of network services.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:3
          text: 3.Validate monitoring configuration to confirm that it is enabled
            to identify any network downtime and SLA breaches.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-11
      name: Personal Information Processing and Transfer Agreement
      description: Appropriate data processing and transfer agreements are established
        for the collection, processing, transfer, or storage of personal information
        by, or on behalf of, Organization.
      annotation: '1. Ensure that a process is defined and documented for establishing
        data processing and transfer agreements for the collection, processing, transfer,
        or storage of personal information by, or on behalf of, the Organization.

        2. Ensure these agreements are signed and retained appropriately as per organization''s
        policy.'
      typical_evidence: E-TPM-17 - Data Processing and Transfer Agreement
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:1
          text: 1. Inspect and validate that a process is defined and documented for
            establishing data processing and transfer agreements for the collection,
            processing, transfer, or storage of personal information by, or on behalf
            of, the Organization.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:2
          text: 2. Validate for a sample agreement that it is signed and retained
            appropriately as per organization's policy.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-12
      name: Approved Service Provider Listing
      description: Organization maintains a list of approved managed service providers
        and the services they provide to Organization.
      annotation: "1. Ensure there is a documented process for vendor onboarding and\
        \ termination. \n2. Ensure that activities for vendor onboarding and offboarding\
        \ are logged and maintained appropriately.\n3. Ensure that the list of active\
        \ vendors is reviewed and updated periodically."
      typical_evidence: E-TPM-18 - Vendor onboarding/ termination document
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:1
          text: '1. Inspect and validate that there is a documented process for vendor
            onboarding and termination. '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:2
          text: 2. Validate that activities for vendor onboarding and offboarding
            are logged and maintained appropriately.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:3
          text: 3. Validate the list of active vendors and verify that it is reviewed
            and updated periodically.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306
      ref_id: TPM-13
      name: Vendor Information Security Standard
      description: Organization has documented a Vendor Information Security Standard
        that defines the responsibilities and governance requirements regarding vendor
        information security engagements. Contractual agreements are entered into
        with vendors who process or store Organization data that define information
        Security terms and service level agreements.
      annotation: '1. Ensure there is documented vendor information security standard
        which is available on intranet for employees.

        2. Ensure vendor information security standard defines the responsibilities
        and governance requirements regarding vendor information security engagements.

        3. Ensure appropriate agreements are established with vendors who process
        or store Organization data. '
      typical_evidence: "E-TPM-07 - Vendor information security standard\nE-TPM-19\
        \ - \n\nSample Vendor Agreement"
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:1
          text: 1. Inspect and validate that there is a documented vendor information
            security standard which is available on intranet for employees.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:2
          text: 2. Validate vendor information security standard defines the responsibilities
            and governance requirements regarding vendor information security engagements.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:3
          text: 3. For a sample vendor validate that agreements are established.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      assessable: false
      depth: 1
      name: Vulnerability Management
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-01
      name: Vulnerability Scans
      description: Organization conducts vulnerability scans against the production
        environment; scan tools are updated prior to running scans.
      annotation: '1. Ensure that the requirements for periodic vulnerability scans
        are defined and documented.

        2. Ensure a process is established for updating the scanning tool version
        prior to running the scan.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-02 - Scan Tool version evidence

        E-VM-03 - Scanning evidence for a sample hosts/accounts'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:1
          text: 1. Review Vulnerability Management policy and/or standard to validate
            that they define requirements for periodic vulnerability scans.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:2
          text: 2. Inspect scanning tool version information to ensure they are up
            to date.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:3
          text: 3. Validate evidence for a sample of service production hosts/accounts
            to ensure that vulnerability scans are conducted and tickets are created
            as appropriate.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-02
      name: 'Vulnerability Scans: Cardholder Data Environment'
      description: Vulnerability scans are conducted against cardholder environments
        at least quarterly or after significant change; critical vulnerability resolution
        is confirmed via a rescan.
      annotation: '1. Ensure that the requirements for quarterly vulnerability scans
        against cardholder data environement are defined and documented.

        2. Ensure a process is established to initiate a scan after every significant
        change.

        3. Ensure all critical vulnerabilities are tracked to resolution and confirmed
        via a rescan'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-04 - Resolution and rescan evidence for a sample vulnerability'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:1
          text: 1. Inspect and validate whether the requirements for quarterly vulnerability
            scans against cardholder data environement are defined and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:2
          text: 2. Validate that a process is established to initiate a scan after
            every significant change.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:3
          text: 3. Validate for a sample critical vulnerability whether it was tracked
            to resolution and confirmed via a rescan
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-03
      name: 'Vulnerability Scans: Audit Log Review'
      description: When vulnerabilities are identified, Organization analyzes audit
        logs to see if it has been previously exploited. Identified exploitations
        are resolved through incident management.
      annotation: '1. Ensure that a process is defined and documented to verify the
        exploitability of a vulnerability via audit logs.

        2. Ensure all identified exploitations are resolved through the incident management
        process.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-05 - Sample exploited vulnerability resolution evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:1
          text: 1. Inspect and validate that a process is defined and documented to
            verify the exploitability of a vulnerability via audit logs.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:2
          text: 2. Validate for a sample exploitation that it was resolved through
            the incident management process.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-04
      name: 'Vulnerability Scans: Trend Analysis'
      description: Organization reviews vulnerability trends over time to include
        in risk assessments; high and moderate risk vulnerabilities are remediated
        in 30 and 90 days, respectively.
      annotation: '1. Ensure that a process has been defined and documented for reviewing
        vulnerability trends.

        2. Ensure that appropriate SLAs are defined to remediate high and moderate
        vulnerabilities in 30 and 90 days.

        3. Ensure the results of these reviews are included in risk assessments.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-06 - Sample vulnerability remediation evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:1
          text: 1. Inspect and validate that a process has been defined and documented
            for reviewing vulnerability trends.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:2
          text: 2. Validate that appropriate SLAs are defined to remediate high and
            moderate risk vulnerabilities in 30 and 90 days.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:3
          text: 3. For a sample of vulnerabilities, validate whether medium and high
            risk vulnerabilities were remediated within the SLA.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-05
      name: Approved Scanning Vendor
      description: At least quarterly, Organization engages an Approved Scanning Vendor
        (ASV) to conduct external vulnerability scans.
      annotation: '1. Ensure a process has been defined and documented to conduct
        ASV scans for PCI envrionments every 90 days.

        2. Ensure all findings are remediated and re-scanning is done to maintain
        compliance. '
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-07 - Approved Scanning Vendor (ASV) Scan evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            to conduct ASV scans for PCI envrionments every 90 days.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:2
          text: '2. Validate for a sample quarter that, if applicable, all findings
            were remediated and re-scan was done to maintain compliance. '
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-06
      name: Application Penetration Testing
      description: Organization conducts penetration tests periodically.
      annotation: '1. Ensure that a process has been defined and documented for conducting
        penetration tests.

        2. Ensure the results of the penetration tests are appropriately documented
        and tracked till remediation.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-08 - Penetration Test Results'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for conducting penetration tests.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:2
          text: 2. Validate the results of last penetration test and verify whether
            the findings were tracked till remediation.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-07
      name: 'Application Penetration Testing: Cardholder Data Environment'
      description: "Organization conducts penetration tests against cardholder data\
        \ environments (CDE) and includes the following requirements:\n\u2022 testing\
        \ covers the entire CDE perimeter and critical data systems\n\u2022 testing\
        \ verifies that CDE perimeter segmentation is operational\n\u2022 testing\
        \ is performed from both inside and outside the CDE network\n\u2022 testing\
        \ validates segmentation and scope-reduction controls (e.g., tokenization\
        \ processes)\n\u2022 network layer penetration tests include components that\
        \ support network functions as well as operating systems \n\u2022 at the application\
        \ level, testing provides coverage, at a minimum, against the security testing\
        \ requirements defined in VM-05-01 (01)\n\u2022 testing is performed with\
        \ consideration of threats verified in the last 12 months from external alerts,\
        \ directives, and advisories defined in VM-06-02\n\u2022 testing is performed\
        \ with consideration of vulnerabilities reported through Organization's PSIRT\
        \ process within the last 12 months\n\u2022 risk ratings are assigned to discovered\
        \ vulnerabilities, which are tracked through remediation"
      annotation: "1. Ensure that a process has been defined and documented for conducting\
        \ penetration tests for the Card Holder Data Environments.\n2. Ensure that\
        \ the testing covers the following requirements:\n\u2022 testing covers the\
        \ entire CDE perimeter and critical data systems\n\u2022 testing verifies\
        \ that CDE perimeter segmentation is operational\n\u2022 testing is performed\
        \ from both inside and outside the CDE network\n\u2022 testing validates segmentation\
        \ and scope-reduction controls (e.g., tokenization processes)\n\u2022 network\
        \ layer penetration tests include components that support network functions\
        \ as well as operating systems \n\u2022 at the application level, testing\
        \ provides coverage, at a minimum, against the security testing requirements\
        \ defined in VM-05-01 (01)\n\u2022 testing is performed with consideration\
        \ of threats verified in the last 12 months from external alerts, directives,\
        \ and advisories defined in VM-06-02\n\u2022 testing is performed with consideration\
        \ of vulnerabilities reported through Organization's PSIRT process within\
        \ the last 12 months\n\u2022 risk ratings are assigned to discovered vulnerabilities,\
        \ which are tracked through remediation"
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-08 - Penetration Test Results'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:1
          text: 1. For PCI in-scope services, obtain and inspect evidence to show
            that external pen test, internal pen test, and segmentation tests were
            performed appropriately.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:2
          text: '2. Validate the pen test reports documented the below mentioned requirements: '
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:3
          text: "\u2022 testing covers the entire CDE perimeter and critical data\
            \ systems"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:4
          text: "\u2022 testing verifies that CDE perimeter segmentation is operational"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:5
          text: "\u2022 testing is performed from both inside and outside the CDE\
            \ network"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:6
          text: "\u2022 testing validates segmentation and scope-reduction controls\
            \ (e.g., tokenization processes)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:7
          text: "\u2022 network layer penetration tests include components that support\
            \ network functions as well as operating systems "
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:8
          text: "\u2022 at the application level, testing provides coverage, at a\
            \ minimum, against the security testing requirements defined in VM-05-01\
            \ (01)"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:9
          text: "\u2022 testing is performed with consideration of threats verified\
            \ in the last 12 months from external alerts, directives, and advisories\
            \ defined in VM-06-02"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:10
          text: "\u2022 testing is performed with consideration of vulnerabilities\
            \ reported through Organization's PSIRT process within the last 12 months"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:11
          text: "\u2022 risk ratings are assigned to discovered vulnerabilities, which\
            \ are tracked through remediation"
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-08
      name: Infrastructure Patch Management
      description: Organization installs security-relevant patches, including software
        or firmware updates; identified end-of-life software must have a documented
        decommission plan in place.
      annotation: "1. Ensure that a process for patch management and end-of-life requirements\
        \ is defined and documented.\n2. Ensure that patch updates are implemented\
        \ for all compute resources. \n3. Ensure all end-of-life software are decommissioned\
        \ with a documented plan."
      typical_evidence: 'E-VM-09 - Infrastructure Management Policy

        E-VM-10 - Patch Implementation Evidence

        E-VM-11 - End of Life software decomission plan'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:1
          text: 1. Inspect and validate that a process for patch management and end-of-life
            requirements is defined and documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:2
          text: 2. For a sample of servers/virtual machine validate that patch updates
            are implemented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:3
          text: 3. For a sample of end-of-life software validate that it was decommissioned
            with a documented plan.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-09
      name: Enterprise Antivirus
      description: Organization has managed enterprise antivirus deployments to detect
        and respond to malicious activities.
      annotation: '1. Ensure a process has been defined and documented for deploying
        antivirus to detect and respond to malicious activities.

        2. Ensure that antivirus is deployed on all applicable systems.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-12 - Antivirus Deployment Evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for deploying antivirus to detect and respond to malicious activities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:2
          text: 2. For a sample system validate that antivirus is deployed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-10
      name: Enterprise Antivirus Tampering
      description: Antivirus mechanisms cannot be disabled or altered by users unless
        specifically authorized by management.
      annotation: 1. Ensure that appropriate policies are configured to prevent users
        from disabling or altering antivirus mechanisms.
      typical_evidence: E-VM-13 - Antivirus Configuration Policies
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10:question:1
          text: 1. Validate whether appropriate policies are configured to prevent
            users from disabling or altering antivirus mechanisms.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-11
      name: Enterprise Antivirus Scope
      description: Vulnerability scans are periodically performed on systems that
        do not require anti-virus; management determines if anti-virus should be required
        on the system based on scan results and associated risk.
      annotation: '1. Ensure a process is defined and documented to perform vulnerability
        scans on all systems.

        2. Ensure the process identifies systems on which antivirus should be deployed.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:1
          text: 1. Inspect and validate a process is defined and documented to perform
            vulnerability scans on all systems.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:2
          text: 2. Validate whether the scan identifies systems on which antivirus
            should be deployed.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-12
      name: 'Maintenance Tools: Inspect Media'
      description: Organization checks media containing diagnostic and test programs
        for malicious code before the media are used in production systems.
      annotation: '1. Ensure a process has been defined and documented to check media
        with diagnostic and test programs before using in production.

        2. Ensure that only media without any malicious code are used in production.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-14 - Media usage logs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:1
          text: 1. Inspect and validate that a process has been defined and documented
            to check media with diagnostic and test programs before using in production.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:2
          text: 2. Validate using logs and scan results that only media without any
            malicious code were used in production.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-13
      name: Code Security Check
      description: Organization conducts periodic source code checks for vulnerabilities.
      annotation: '1. Ensure a process has been defined and documented for performing
        source code check for vulnerabilities.

        2. Ensure all vulnerabilities are tracked and resolved as per organization''s
        SLA.'
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for performing source code check for vulnerabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:2
          text: 2. For a sample source code vulnerability validate that it was tracked
            and resolved per SLA.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-14
      name: 'Code Security Check: Cardholder Data Environment'
      description: "Where applicable, security testing performed prior to releasing\
        \ code into production includes the following:\n\u2022 code injection\n\u2022\
        \ buffer overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure\
        \ communications\n\u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\
        \u2022 cross-site scripting\n\u2022 improper access control\n\u2022 cross-site\
        \ request forgery\n\u2022 broken authentication session management"
      annotation: "1. Ensure a process has been defined and documented for performing\
        \ source code check for vulnerabilities.\n2. Ensure the following aspects\
        \ are covered as part of the testing:\n\u2022 code injection\n\u2022 buffer\
        \ overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure communications\n\
        \u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\u2022 cross-site\
        \ scripting\n\u2022 improper access control\n\u2022 cross-site request forgery\n\
        \u2022 broken authentication session management\n3. Ensure all vulnerabilities\
        \ are tracked and resolved as per organization's SLA."
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for performing source code check for vulnerabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:2
          text: '2. Validate for a sample scan whether the following aspects were
            covered as part of the testing:'
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:3
          text: "\u2022 code injection"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:4
          text: "\u2022 buffer overflows"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:5
          text: "\u2022 insecure cryptographic storage"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:6
          text: "\u2022 insecure communications"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:7
          text: "\u2022 improper error handling"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:8
          text: "\u2022 high-risk vulnerabilities"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:9
          text: "\u2022 cross-site scripting"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:10
          text: "\u2022 improper access control"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:11
          text: "\u2022 cross-site request forgery"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:12
          text: "\u2022 broken authentication session management"
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:13
          text: 3. For a sample source code vulnerability validate that it was tracked
            and resolved per SLA.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-15
      name: Third-Party Library Check
      description: Organization scans third-party libraries for vulnerabilities according
        to the service risk rating assignment.
      annotation: '1. Ensure a process has been defined and documented for performing
        source code check for vulnerabilities.

        2. Ensure that third-party libraries are scanned for vulnerabilities as per
        service risk rating assignment.

        3. Ensure all vulnerabilities are tracked and resolved as per organization''s
        SLA.'
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for performing source code check for vulnerabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:2
          text: 2. Validate for a sample scan whether third-party libraries are scanned
            for vulnerabilities as per service risk rating assignment.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:3
          text: 3. For a sample source code vulnerability validate that it was tracked
            and resolved per SLA.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-16
      name: Non-disclosure of Error Detail
      description: Information systems are designed to ensure error messages generated
        provide adequate information for taking corrective action without revealing
        sensitive information.
      annotation: 1. Ensure that a process is defined to design Information systems
        in such a way that error messages generated provide adequate information for
        taking corrective action without revealing sensitive information.
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-VM-16 - Sample Error Messages'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:1
          text: 1. Inspect the type of error messages configured in a sample of applications.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:2
          text: 2. Ensure no sensitive data or user information is provided via error
            messages. Additionally, ensure appropriate corrective actions are highlighted
            in the error message.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-17
      name: Embedded Authenticators
      description: Quality Engineering checks to ensure that static passwords are
        not embedded within application source code or access scripts, prior to deployment
        on the Organization network.
      annotation: '1. Ensure a process has been defined and documented for performing
        source code check for vulnerabilities.

        2. Ensure that static passwords are not embedded within application source
        code or access scripts, prior to deployment on the Organization network.

        3. Ensure all vulnerabilities are tracked and resolved as per organization''s
        SLA.'
      typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy

        E-RM-02 - Latest vulnerability assessment report'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for performing source code check for vulnerabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:2
          text: 2. Validate for a sample scan whether a check was done so that static
            passwords are not embedded within application source code or access scripts,
            prior to deployment on the Organization network.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:3
          text: 3. For a sample source code vulnerability validate that it was tracked
            and resolved per SLA.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-18
      name: External Information Security Inquiries
      description: Organization reviews information-security-related inquiries, complaints,
        and disputes.
      annotation: '1. Ensure a process has been defined and documented to receive
        information related inquiries, complaints, and disputes.

        2. Ensure all of the received inquiries, disputes, and compliants are reviewed
        and resolved as applicable.'
      typical_evidence: 'E-IR-02 - Incident Management Policy

        E-VM-17 - Sample Disputes, inquiries and complaints'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:1
          text: 1. Inspect and validate that a process has been defined and documented
            to receive information related inquiries, complaints, and disputes.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:2
          text: 2. Validate for a sample query that it was reviewed and resolved as
            applicable.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-19
      name: External Alerts and Advisories
      description: Organization reviews alerts and advisories from management approved
        security forums and communicates verified threats to authorized personnel.
      annotation: '1. Ensure that a process has been defined and documented to review
        alerts and advisories from approved security forums.

        2. Ensure that management reviews the list of approved security forums and
        updates accordingly.

        3. Ensure all verified threats are communicated to authorized personnel and
        tracked to resolution'
      typical_evidence: 'E-IR-02 - Incident Management Policy

        E-VM-18 - Management Review Evidence

        E-VM-19 - Verified Threats resolution evidence'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:1
          text: 1. Inspect and validate that a process has been defined and documented
            to review alerts and advisories from approved security forums.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:2
          text: 2. Validate whether the management reviews the list of approved security
            forums and updates accordingly using last update evidence.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:3
          text: 3. Validate communication and resolution evidence for a sample of
            verified threats.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-20
      name: Third-Party Security Assessment
      description: Organization engages qualified managed service providers to perform
        independent information security assessments.
      annotation: '1. Ensure a process has been defined and documented to engage qualified
        managed service providers for performing independent information security
        assessments.

        2. Ensure these assessments are performed in accordance with organization
        requirements.'
      typical_evidence: 'E-SG-01 - Information Security Management Standard

        E-VM-20 - Sample Independent Information Security Assessment Results'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            to engage qualified managed service providers for performing independent
            information security assessments.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:2
          text: 2. Validate whether these assessments were performed in accordance
            with organization requirements.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-21
      name: Security Testing Window
      description: Security administrators notify relevant parties prior to executing
        technical security assessments; assessment details and results are documented
        in a ticket.
      annotation: '1. Ensure a process has been defined and documented to notify relevant
        parties before executing technical security assessments.

        2. Ensure all assessment details and results are appropriately documented.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-21 - Sample Assessment Ticket and notification'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            to notify relevant parties before executing technical security assessments.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:2
          text: 2. Validate for a sample assessment whether details and results were
            appropriately documented.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:3
          text: 3. Also validate whether appropriate notification was sent to all
            relevant parties prior to executing the assessment.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-22
      name: Vulnerability Remediation
      description: Organization assigns a risk rating to identified vulnerabilities
        and prioritizes remediation of legitimate vulnerabilities according to the
        assigned risk.
      annotation: '1. Ensure a process has been defined and documented for assigning
        risk rating to all identified vulnerabilities.

        2. Ensure vulnerabilities are remediated and prioritized as per the risk rating.'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-20 - Sample Independent Information Security Assessment Results'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:1
          text: 1. Inspect and validate whether a process has been defined and documented
            for assigning risk rating to all identified vulnerabilities.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:2
          text: 2. Validate for a sample of vulnerabilities whether they were remediated
            as per their risk rating.
    - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320
      ref_id: VM-23
      name: Backlog Prioritization
      description: Organization documents identified bugs, prioritize bug fixes according
        to risk, and tracks resolution as part of the product release cycle.
      annotation: '1. Ensure a process has been defined and documented for creating
        documentation for identified bugs.

        2. Ensure all identified bugs are fixed  according to risk and are tracked
        till resolution'
      typical_evidence: 'E-VM-01 - Vulnerability Management Policy

        E-VM-22 - Sample Identified Bugs'
      question:
        question_type: unique_choice
        question_choices: *id001
        questions:
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:1
          text: 1. Inspect and validate that a process has been defined and documented
            for creating documentation for identified bugs.
        - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:2
          text: 2. Validate for a sample of all identified bugs whether they were
            fixed  according to risk and were tracked till resolution